Martin Orr ([email protected] on 2012-02-09 09:39 +0000): > > > > avc: denied { mounton } for pid=287 comm="mount" > > path="/run/lock" dev=tmpfs ino=3033 > > scontext=system_u:system_r:mount_t:s0 > > tcontext=system_u:object_r:var_lock_t:s0 tclass=dir > > The correct fix is to allow mounting on var_lock_t in policy. > This makes sense because /var/lock has always been a valid mountpoint, > even before /run.
The policy allows to mount on top of /run, that should be sufficient as long as /run/lock is not labeled before it is mounted. I'm certainly no selinux expert, but I don't see why the mountpoint should be labeled var_lock_t. I'm happy to defer that decision to the maintainers. > SELinux contexts should never be hardcoded anywhere outside the > policy. This goes completely against the architecture of SELinux, > with even the kernel initial SID being specified by policy. If you don't mind me asking: how is this achieved? Is part of the policy included in the initramfs, or are kernel processes relabeled after loading the policy? > From a > practical point of view, it would be far from obvious that you need > to specify contexts in /etc/default/tmpfs if you use a non-default > policy (which need not even be based on the refpolicy, so may not > have types system_r, var_lock_t). Agreed. > If you really want to use > rootcontext, then you should use getfilecon to get the context. Thanks for that pointer, I'm sure it will be useful in the future. > > Your patch also removes the "restorecon -r /run" which is needed to > fix the unlabelled files in /run coming from the initramfs (see > #628107). ... unless the same rootcontext is applied from within the initramfs of course. Well, that why it's severity wishlist. The patch was mostly for illustratory purposes (rfc), it's not a finished work. Regards, Arno _______________________________________________ Pkg-sysvinit-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-sysvinit-devel
