units: add 'smackfsroot=*' option into tmp.mount when SMACK is enabled

If SMACK is enabled, 'smackfsroot=*' option should be specified in
tmp.mount file since many non-root processes use /tmp for temporary
usage. If not, /tmp is labeled as '_' and smack denial occurs when
writing.

diff --git a/Makefile.am b/Makefile.am
index 8646e55450fb89005974226ed159707b2ec20732..889c03955aac695bbe9d26daa3f54e0e98932f24 100644 (file)
--- a/Makefile.am
+++ b/Makefile.am
@@ -616,7 +616,8 @@ EXTRA_DIST += \
        units/initrd-udevadm-cleanup-db.service.in \
        units/initrd-switch-root.service.in \
        units/systemd-nspawn@.service.in \
-       units/systemd-update-done.service.in
+       units/systemd-update-done.service.in \
+       units/tmp.mount.m4
 
 if HAVE_SYSV_COMPAT
 nodist_systemunit_DATA += \

diff --git a/units/tmp.mount b/units/tmp.mount.m4
similarity index 85%
rename from units/tmp.mount
rename to units/tmp.mount.m4
index 00a0d28722449038f17e6aa66cb6c70def0cf9f8..d537746dbf94f17e7a5d1b446eb8a46b99c7c241 100644 (file)
--- a/units/tmp.mount
+++ b/units/tmp.mount.m4
@@ -18,4 +18,6 @@ Before=local-fs.target umount.target
 What=tmpfs
 Where=/tmp
 Type=tmpfs
-Options=mode=1777,strictatime
+m4_ifdef(`HAVE_SMACK',
+`Options=mode=1777,strictatime,smackfsroot=*',
+`Options=mode=1777,strictatime')