On Tue, Oct 15, 2013 at 5:50 PM, Demeter, Michael
<michael.deme...@intel.com> wrote:
>> This will pointlessly match on ttys, and apply the label to a*all*
>> devices on the system:
>> SUBSYSTEM=="tty",
>> SECLABEL{smack}="*"
>>
>> This is all wrong, please *really* test your stuff before submitting!
>>
>
> This is not pointlessly matching all ttys. This is exactly how I intended
> this rule to work. If there are separate Smack labels for floor, system and
> user then as soon as the first smack policy is established the user will no
> longer be able to use anything labeled as floor. This rule sets the stage
> correctly when Smack is enabled by allowing all reads and writes which is
> how it should be.
>
> Why do you think this is incorrect behavior?
>
> I am open to suggestions with regards to writing a rule that is better
> suited but it seems this does exactly what is needed for the system to
> operate correctly.
This needs to be in one line, not in two. 2 lines are 2 independent
rules, not related to each other. The 2nd rule will match for all
events on the system. This was obviously never tested before
submission.
Kay
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
