Martin Orr ([email protected] on 2012-02-09 09:39 +0000): > On Tue, Jan 17, 2012 at 12:06:16AM +0100, Arno wrote: > > > > So, bug report first: > > mountkernfs.sh restores the context for /run/lock before mounting > > it as a separate filesystem. This doesn't go down well with selinux > > policy, because we're not supposed to mount on top of var_lock_t: > > > > avc: denied { mounton } for pid=287 comm="mount" > > path="/run/lock" dev=tmpfs ino=3033 > > scontext=system_u:system_r:mount_t:s0 > > tcontext=system_u:object_r:var_lock_t:s0 tclass=dir > > The correct fix is to allow mounting on var_lock_t in policy. > This makes sense because /var/lock has always been a valid mountpoint, > even before /run. > > > Wishlist item next:
Ok, just drop this part. As I've learned, the whole exercise will be moot anyway once selinux' support for named file transitions will enter Debian (https://fedoraproject.org/wiki/Features/SELinuxFileNameTransition). Which leaves the /run/lock mounting issue for which I don't have the solution. CC'ing Russell as selinux maintainer. Regards, Arno _______________________________________________ Pkg-sysvinit-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-sysvinit-devel
