[systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.

Mon, 28 Oct 2013 03:59:40 -0700 

At the same reason of /run and /dev/shm, when systemd is running with
SMACK, countless tasks are failed by missed privilege.
To avoid, /tmp is assigned '*' label.
---
 Makefile.am        |   10 ++++++----
 configure.ac       |    4 +++-
 units/tmp.mount    |   20 --------------------
 units/tmp.mount.m4 |   22 ++++++++++++++++++++++
 4 files changed, 31 insertions(+), 25 deletions(-)
 delete mode 100644 units/tmp.mount
 create mode 100644 units/tmp.mount.m4

diff --git a/Makefile.am b/Makefile.am
index 4a96a50..6c977e8 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -399,7 +399,6 @@ dist_systemunit_DATA = \
        units/sys-kernel-config.mount \
        units/sys-kernel-debug.mount \
        units/sys-fs-fuse-connections.mount \
-       units/tmp.mount \
        units/printer.target \
        units/sound.target \
        units/bluetooth.target \
@@ -444,7 +443,8 @@ nodist_systemunit_DATA = \
        units/initrd-cleanup.service \
        units/initrd-udevadm-cleanup-db.service \
        units/initrd-switch-root.service \
-       units/systemd-nspawn@.service
+       units/systemd-nspawn@.service \
+       units/tmp.mount
 
 dist_userunit_DATA = \
        units/user/default.target \
@@ -488,12 +488,14 @@ EXTRA_DIST += \
        units/initrd-cleanup.service.in \
        units/initrd-udevadm-cleanup-db.service.in \
        units/initrd-switch-root.service.in \
-       units/systemd-nsp...@.service.in
+       units/systemd-nsp...@.service.in \
+       units/tmp.mount.m4
 
 CLEANFILES += \
        units/console-shell.service.m4 \
        units/console-getty.service.m4 \
-       units/rescue.service.m4
+       units/rescue.service.m4 \
+       units/tmp.mount.m4
 
 if HAVE_SYSV_COMPAT
 nodist_systemunit_DATA += \
diff --git a/configure.ac b/configure.ac
index 7e41d57..65268e8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -503,6 +503,8 @@ AC_SUBST(XATTR_LIBS)
 AM_CONDITIONAL([HAVE_XATTR], [test "x$have_xattr" != xno])
 
 # 
------------------------------------------------------------------------------
+M4_DEFINES=
+
 AC_ARG_ENABLE([smack], AS_HELP_STRING([--disable-smack],[Disable optional 
SMACK support]),
                 [case "${enableval}" in
                         yes) have_smack=yes ;;
@@ -531,6 +533,7 @@ AS_HELP_STRING([--with-smack-run-label=STRING],
 
 if test "x${have_smack}" = xyes ; then
         AC_DEFINE(HAVE_SMACK, 1, [Define if SMACK is available])
+        M4_DEFINES="$M4_DEFINES -DHAVE_SMACK"
 fi
 
 # 
------------------------------------------------------------------------------
@@ -891,7 +894,6 @@ AM_CONDITIONAL(ENABLE_MANPAGES, [test "x$have_manpages" = 
"xyes"])
 # Location of the init scripts as mandated by LSB
 SYSTEM_SYSVINIT_PATH=/etc/init.d
 SYSTEM_SYSVRCND_PATH=/etc/rc.d
-M4_DEFINES=
 
 AC_ARG_WITH([sysvinit-path],
         [AS_HELP_STRING([--with-sysvinit-path=PATH],
diff --git a/units/tmp.mount b/units/tmp.mount
deleted file mode 100644
index 99a3ba3..0000000
--- a/units/tmp.mount
+++ /dev/null
@@ -1,20 +0,0 @@
-#  This file is part of systemd.
-#
-#  systemd is free software; you can redistribute it and/or modify it
-#  under the terms of the GNU Lesser General Public License as published by
-#  the Free Software Foundation; either version 2.1 of the License, or
-#  (at your option) any later version.
-
-[Unit]
-Description=Temporary Directory
-Documentation=man:hier(7)
-Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
-DefaultDependencies=no
-Conflicts=umount.target
-Before=local-fs.target umount.target
-
-[Mount]
-What=tmpfs
-Where=/tmp
-Type=tmpfs
-Options=mode=1777,strictatime
diff --git a/units/tmp.mount.m4 b/units/tmp.mount.m4
new file mode 100644
index 0000000..46c7fcd
--- /dev/null
+++ b/units/tmp.mount.m4
@@ -0,0 +1,22 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+[Unit]
+Description=Temporary Directory
+Documentation=man:hier(7)
+Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
+DefaultDependencies=no
+Conflicts=umount.target
+Before=local-fs.target umount.target
+
+[Mount]
+What=tmpfs
+Where=/tmp
+Type=tmpfs
+m4_ifdef(`HAVE_SMACK',
+`Options=mode=1777,strictatime,smackfsroot=*',
+`Options=mode=1777,strictatime')
-- 
1.7.9.5

_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Reply via email to