From: Auke Kok Date: Wed, 25 Sep 2013 22:49:42 +0000 (-0700) Subject: Run with a custom SMACK domain (label). X-Git-Tag: v209~1968 X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=commitdiff_plain;h=8b197c3a8a57c3f7c231b39e5660856fd9580c80;ds=sidebyside Run with a custom SMACK domain (label). Allows the systemd --system process to change its current SMACK label to a predefined custom label (usually "system") at boot time. This is needed to have a few system-generated folders and sockets automatically be created with the right SMACK label. Without that, processes either cannot communicate with systemd or systemd fails to perform some actions. --- diff --git a/configure.ac b/configure.ac index 4f26092e9..00ee9bb92 100644 --- a/configure.ac +++ b/configure.ac @@ -524,6 +524,12 @@ else fi fi +AC_ARG_WITH(smack-run-label, +AS_HELP_STRING([--with-smack-run-label=STRING], + [run systemd --system with a specific SMACK label]), + [AC_DEFINE_UNQUOTED(SMACK_RUN_LABEL, ["$withval"], [Run with a smack label])], + []) + if test "x${have_smack}" = xyes ; then AC_DEFINE(HAVE_SMACK, 1, [Define if SMACK is available]) fi diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c index 1434dea7c..611bfdb2d 100644 --- a/src/core/smack-setup.c +++ b/src/core/smack-setup.c @@ -36,6 +36,7 @@ #include "macro.h" #include "smack-setup.h" #include "util.h" +#include "fileio.h" #include "log.h" #include "label.h" @@ -138,6 +139,13 @@ int smack_setup(void) { return 0; } +#ifdef SMACK_RUN_LABEL + r = write_string_file("/proc/self/attr/current", SMACK_RUN_LABEL); + if (r) + log_warning("Failed to set SMACK label \"%s\" on self: %s", + SMACK_RUN_LABEL, strerror(-r)); +#endif + r = write_rules("/sys/fs/smackfs/cipso2", CIPSO_CONFIG); switch(r) { case -ENOENT: