[Pkg-sysvinit-devel] Bug#656155: #656155: /run/lock mounting

Arno Schuring aelschuring at hotmail.com
Wed Feb 22 11:42:18 UTC 2012


Martin Orr (martin at martinorr.name on 2012-02-09 09:39 +0000):
> On Tue, Jan 17, 2012 at 12:06:16AM +0100, Arno wrote:
> > 
> > So, bug report first:
> > mountkernfs.sh restores the context for /run/lock before mounting
> > it as a separate filesystem. This doesn't go down well with selinux
> > policy, because we're not supposed to mount on top of var_lock_t:
> > 
> > avc:  denied  { mounton } for  pid=287 comm="mount"
> > path="/run/lock" dev=tmpfs ino=3033
> > scontext=system_u:system_r:mount_t:s0
> > tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
> 
> The correct fix is to allow mounting on var_lock_t in policy.
> This makes sense because /var/lock has always been a valid mountpoint,
> even before /run.
> 
> > Wishlist item next:

Ok, just drop this part. As I've learned, the whole exercise will be
moot anyway once selinux' support for named file transitions will enter
Debian
(https://fedoraproject.org/wiki/Features/SELinuxFileNameTransition).

Which leaves the /run/lock mounting issue for which I don't have the
solution. CC'ing Russell as selinux maintainer.


Regards,
Arno





More information about the Pkg-sysvinit-devel mailing list