git.ipfire.org Git - thirdparty/systemd.git/commit

author	Casey Schaufler <casey@schaufler-ca.com>
	Fri, 8 Nov 2013 17:42:26 +0000 (09:42 -0800)
committer	Patrick Ohly <patrick.ohly@intel.com>
	Mon, 11 Jan 2016 10:12:06 +0000 (11:12 +0100)
commit	ae176752f9c91073d234448b28ae95b37b97b719
tree	f679b3c879e7c3e9cad926cf9e1eabfe8a67a5a7	tree \| snapshot
parent	cf6c8c46fceac83dfb3f2d55fae5220e60841553	commit \| diff

smack: Handling network

- Set Smack ambient to match run label
- Set Smack netlabel host rules

Set Smack ambient to match run label
------------------------------------
Set the Smack networking ambient label to match the
run label of systemd. System services may expect to
communicate with external services over IP. Setting
the ambient label assigns that label to IP packets
that do not include CIPSO headers. This allows systemd
and the services it spawns access to unlabeled IP
packets, and hence external services.

A system may choose to restrict network access to
particular services later in the startup process.
This is easily done by resetting the ambient label
elsewhere.

Set Smack netlabel host rules
-----------------------------
If SMACK_RUN_LABEL is defined set all other hosts to be
single label hosts at the specified label. Set the loopback
address to be a CIPSO host.

If any netlabel host rules are defined in /etc/smack/netlabel.d
install them into the smackfs netlabel interface.

[Patrick Ohly: copied from https://review.tizen.org/git/?p=platform/upstream/systemd.git;a=commit;h=db4f6c9a074644aa2bf]
[Patrick Ohly: adapt to write_string_file() change in "fileio: consolidate write_string_file*()"]
[Patrick Ohly: create write_netlabel_rules() based on the original write_rules() that was removed in "smack: support smack access change-rule"]
[Patrick Ohly: adapted to upstream code review feedback: error logging, string constants]