On Mi, 01.08.18 11:18, Martin Townsend (mtownsend1...@gmail.com) wrote:
> @@ -728,7 +729,12 @@ static int manager_setup_notify(Manager *m) {
>
> m->notify_fd = fd;
> fd = -1;
> -
> + r = mac_smack_apply_fd(m->notify_fd, SMACK_ATTR_IPIN, "*");
> + if (r < 0)
> + log_error_errno(r, "mac_smack_apply_ip_in_fd: %m");
> + r = mac_smack_apply_fd(m->notify_fd, SMACK_ATTR_IPOUT, "@");
> + if (r < 0)
> + log_error_errno(r, "mac_smack_apply_ip_out_fd: %m");
> log_debug("Using notification socket %s", m->notify_socket);
> }
>
> Is there a better way of ensuring /run/systemd/notify can be accessed
> by a service with a User defined SMACK label? or is this patch to
> manager_setup_notify sufficient?
Generally, we upstream rely on submitted patches for everything MAC
related. We do not know the various MACs well enough to be able to
maintain this part of our codebase on our own.
Hence, if the patch like the one above is something we are supposed to
merge upstream, then please post this as PR on our systemd github, and
make sure that someone from SMACK upstream (for example Casey) likes
it and says so on the PR.
Thank you,
Lennart
--
Lennart Poettering, Red Hat
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
