From: Chris PeBenito <pebenito@ieee.org>
To: Dominick Grift <dominick.grift@defensec.nl>
Cc: Russell Coker <russell@coker.com.au>, selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] another systemd misc patch
Date: Fri, 5 Feb 2021 15:31:41 -0500 [thread overview]
Message-ID: <0c8ef4b6-893a-134c-d8ba-c0a6af4e8638@ieee.org> (raw)
In-Reply-To: <ypjl5z36qnem.fsf@defensec.nl>
On 2/5/21 3:18 PM, Dominick Grift wrote:
> Chris PeBenito <pebenito@ieee.org> writes:
>> On 2/2/21 10:31 PM, Russell Coker wrote:
>>> Lots of littls changes related to systemd.
>>> Signed-off-by: Russell Coker <russell@coker.com.au>
>>> @@ -925,14 +1001,26 @@ allow systemd_nspawn_t systemd_nspawn_tm
>>> # for /run/systemd/nspawn/incoming in chroot
>>> allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton;
>>> +kernel_getattr_core_if(systemd_nspawn_t)
>>> +kernel_getattr_proc(systemd_nspawn_t)
>>> +kernel_getattr_unlabeled_dirs(systemd_nspawn_t)
>>> +
>>> kernel_mount_proc(systemd_nspawn_t)
>>> kernel_mounton_sysctl_dirs(systemd_nspawn_t)
>>> kernel_mounton_kernel_sysctl_files(systemd_nspawn_t)
>>> kernel_mounton_message_if(systemd_nspawn_t)
>>> kernel_mounton_proc(systemd_nspawn_t)
>>> +kernel_mounton_sysctl_files(systemd_nspawn_t)
>>> +kernel_mounton_unlabeled_dirs(systemd_nspawn_t)
>>
>> With all of the mounting, perhaps we should consider coalescing on
>> allowing it to mount an all init_mountpoint_types.
>
> mounton unlabeled dirs indicates that something is unlabeled/mislabeled
> though. Wouldnt allow that.
Yes I agree. I noticed all the mountons but didn't notice this specific one.
--
Chris PeBenito
next prev parent reply other threads:[~2021-02-05 20:33 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-03 3:31 [PATCH] another systemd misc patch Russell Coker
2021-02-05 19:44 ` Chris PeBenito
2021-02-05 20:18 ` Dominick Grift
2021-02-05 20:31 ` Chris PeBenito [this message]
2021-02-05 20:45 ` Dominick Grift
2021-10-09 10:05 Russell Coker
2021-10-27 13:09 ` Chris PeBenito
2021-10-09 10:17 Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0c8ef4b6-893a-134c-d8ba-c0a6af4e8638@ieee.org \
--to=pebenito@ieee.org \
--cc=dominick.grift@defensec.nl \
--cc=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).