search

smack-team / smack

Smack userspace
GNU Lesser General Public License v2.1
41 stars 33 forks source link

How to set the label to some files or directories when system boot up #134

Open xdsb opened 1 year ago

xdsb commented 1 year ago

How to set the label to some files or directories automatically when system boot up ? not like using the smack-util tool chsmack "chsmack -a 'attr' file" in terminal after linux system boot up. Just like setting file_contexts in SELINUX Thank you.

cschaufler commented 1 year ago

SELinux uses a utility to initialize labels at system boot. On a system that uses systemd this is selinux-autorelabel.service. For a smack system that uses systemd you will want to follow that example. What system are you targeting?

On 12/4/2022 7:06 PM, xdsb wrote:

How to set the label to some files or directories automatically when system boot up ? not like using the smack-util tool chsmack "chsmack -a 'attr' file" in terminal after linux system boot up. Just like setting file_contexts in SELINUX Thank you.

— Reply to this email directly, view it on GitHub https://github.com/smack-team/smack/issues/134, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJ5L7H3SL6SHYKUXHOMGUDWLVL25ANCNFSM6AAAAAASTYKKBY. You are receiving this because you are subscribed to this thread.Message ID: @.***>

xdsb commented 1 year ago

smack with systemd, and I want to set smack labels for some files and directories in the rootfs so that the labels would be set at a system boot automatically, just likeing using make_ext4fs with option -S file_contexts to set labels in SElinux when making rootfs img, could I also set smack labels by this way?

cschaufler commented 1 year ago

Unfortunately, the authors of make_ext4fs made it SELinux specific. It would not be difficult to add support for extended attributes in general, or just for Smack.

On 12/5/2022 7:27 PM, xdsb wrote:

smack, and I want to set smack labels for some files and directories in the rootfs so that the labels would be set at boot up automatically, just liking using make_ext4fs with option -S file_contexts to set labels in SElinux when making rootfs img, could I also set smack labels by this way?

— Reply to this email directly, view it on GitHub https://github.com/smack-team/smack/issues/134#issuecomment-1338690448, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJ5L7DHOHHTK4VA4DOCH6TWL2XC7ANCNFSM6AAAAAASTYKKBY. You are receiving this because you commented.Message ID: @.***>

xdsb commented 1 year ago

OKay,,thank you for your reply. So,how to set smack labels to files or directories at system boot up? Is there any solution?

cschaufler commented 1 year ago

Are you using systemd? If not, what are you using from system management?

On 12/6/2022 7:55 AM, xdsb wrote:

OKay,,thank you for your reply. So,how to set smack labels to files or directories at system boot up?

— Reply to this email directly, view it on GitHub https://github.com/smack-team/smack/issues/134#issuecomment-1339590588, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJ5L7AFZWJHUZWRTVPHH3DWL5OXLANCNFSM6AAAAAASTYKKBY. You are receiving this because you commented.Message ID: @.***>

xdsb commented 1 year ago

Yeah,we use systemd as system management.

cschaufler commented 1 year ago

An example of an implementation of Smack initialization can be found:

https://gerrit.automotivelinux.org/gerrit/gitweb?p=AGL/meta-agl.git;a=tree;f=meta-security/recipes-core/systemd/systemd;h=919d2aa051b7b5c44988c38ada15153e9912f23a;hb=refs/changes/23/18823/4

On 12/6/2022 8:04 AM, xdsb wrote:

Yeah,we use systemd as system management.

— Reply to this email directly, view it on GitHub https://github.com/smack-team/smack/issues/134#issuecomment-1339602440, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJ5L7DA5BLZGJI7TU2QIS3WL5PXJANCNFSM6AAAAAASTYKKBY. You are receiving this because you commented.Message ID: @.***>

jobol commented 1 year ago

When using yocto, some of the labelling made in post install of packets are managed using pseudo. It emulates system calls and takes care of security attributes. There is some magic to then apply it in the image either directly or at first boot. But it does not solves transmutations issues because it does neither know nor emulate the process labels.

In my opinion, you are looking for a tool that based on some predefined rules enforce smack labels on files. A such official Smack's tool doesn't exist, AFAIK.

xdsb commented 1 year ago

yeah,@jobol, we just want to set labels to files or directories in the rootfs at system boot or set labels at making rootfs image just like "make_ext4fs -S file_context" in Selinux, file_contexts: ########################################### # Root / u:object_r:rootfs:s0 # Data files /adb_keys u:object_r:adb_keys_file:s0 /build.prop u:object_r:rootfs:s0 /default.prop u:object_r:rootfs:s0 # Executables /init u:object_r:init_exec:s0 ...... ########################################### and then system load predefined rules files that are installed into /etc/smack/accesses.d(such as default-access-domains,...)