smack: label /etc/mtab as "_" when '--with-smack-run-label' is enabled.

/etc/mtab should be labeled as "_", even though systemd has its own
smack label using '--with-smack-run-label' configuration. This is mainly
because all processes could read that file and the origin of this file
(i.e. /proc/mounts) is labeled as "_". This labels /etc/mtab as "_" when
'--with-smack-run-label' is enabled.

diff --git a/configure.ac b/configure.ac
index 2024939ad0b1eeb8493bb26a6e82e1df61c14254..aad6782e0823282a5ba2ba05310af96e95d648fb 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -657,12 +657,17 @@ if test "x${have_smack}" = xauto; then
         have_smack=yes
 fi
 
+have_smack_run_label=no
 AC_ARG_WITH(smack-run-label,
 AS_HELP_STRING([--with-smack-run-label=STRING],
         [run systemd --system itself with a specific SMACK label]),
-        [AC_DEFINE_UNQUOTED(SMACK_RUN_LABEL, ["$withval"], [Run systemd itself with SMACK label])],
+        [AC_DEFINE_UNQUOTED(SMACK_RUN_LABEL, ["$withval"], [Run systemd itself with SMACK label]) have_smack_run_label=yes],
         [])
 
+if test "x${have_smack_run_label}" = xyes; then
+        M4_DEFINES="$M4_DEFINES -DHAVE_SMACK_RUN_LABEL"
+fi
+
 AC_ARG_WITH(smack-default-process-label,
 AS_HELP_STRING([--with-smack-default-process-label=STRING],
         [default SMACK label for executed processes]),

diff --git a/tmpfiles.d/etc.conf.m4 b/tmpfiles.d/etc.conf.m4
index e74b02687ff59d318e37f724d6698a6b7b3c0613..ef7b9b954178ee7092a9028fa7da911409c9f79f 100644 (file)
--- a/tmpfiles.d/etc.conf.m4
+++ b/tmpfiles.d/etc.conf.m4
@@ -10,6 +10,9 @@
 L /etc/os-release - - - - ../usr/lib/os-release
 L /etc/localtime - - - - ../usr/share/zoneinfo/UTC
 L+ /etc/mtab - - - - ../proc/self/mounts
+m4_ifdef(`HAVE_SMACK_RUN_LABEL',
+t /etc/mtab - - - - security.SMACK64=_
+)m4_dnl
 m4_ifdef(`ENABLE_RESOLVED',
 L! /etc/resolv.conf - - - - ../run/systemd/resolve/resolv.conf
 )m4_dnl