From mboxrd@z Thu Jan  1 00:00:00 1970
From: guido@trentalancia.com (Guido Trentalancia)
Date: Wed, 20 Jun 2012 17:29:51 +0200
Subject: [refpolicy] [PATCH v2]: allow mount to write to all of its runtime
	files
In-Reply-To: <4FE1DAAD.2000802@tresys.com>
References: <201206151635.q5FGZvOD021663@vivaldi13.register.it>
	<4FE1DAAD.2000802@tresys.com>
Message-ID: <1340206191.3570.2.camel@vortex>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 2012-06-20 at 10:14 -0400, Christopher J. PeBenito wrote:
> On 06/15/12 12:35, Guido Trentalancia wrote:

[cut]

> > --- refpolicy-04062012/policy/modules/kernel/files.fc	2012-06-15 19:33:36.615158614 +0200
> > +++ refpolicy-file-contexts/policy/modules/kernel/files.fc	2012-06-15 19:32:42.001703874 +0200
> > @@ -54,6 +54,9 @@ ifdef(`distro_suse',`
> >  /etc/killpower		--	gen_context(system_u:object_r:etc_runtime_t,s0)
> >  /etc/localtime		-l	gen_context(system_u:object_r:etc_t,s0)
> >  /etc/mtab		--	gen_context(system_u:object_r:etc_runtime_t,s0)
> > +/etc/mtab~		--	gen_context(system_u:object_r:etc_runtime_t,s0)
> > +/etc/mtab~[0-9]+	--	gen_context(system_u:object_r:etc_runtime_t,s0)
> 
> why not just merge these two lines into /etc/mtab~[0-9]* ?

Yes, sure, you're right, here it is:

Allow mount to write not only to /etc/mtab but also to the /etc/mtab~[0-9]\{0,20\}
lock files (the number corresponds to the PID). Such files are still mistakenly
being labelled as etc_t instead of etc_runtime_t (thus preventing the successful
completion of the write operation and the accumulation of unremovable stale lock
files over several operation attempts as in normal system reboots, for example).

Do the same with the standard mount temporary file /etc/mtab.tmp.

The above refers to mount from util-linux-2.21.2 from kernel.org. See mount -vvv
for the location of such files.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/kernel/files.fc |    2 ++
 1 file changed, 2 insertions(+)

--- refpolicy-04062012/policy/modules/kernel/files.fc	2012-06-15 19:33:36.615158614 +0200
+++ refpolicy-04062012-allow-mount-write-mtab-lock-files/policy/modules/kernel/files.fc	2012-06-20 17:18:53.677833852 +0200
@@ -54,6 +54,8 @@ ifdef(`distro_suse',`
 /etc/killpower		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/localtime		-l	gen_context(system_u:object_r:etc_t,s0)
 /etc/mtab		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/mtab~[0-9]*	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/mtab\.tmp		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/mtab\.fuselock	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/nohotplug		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/nologin.*		--	gen_context(system_u:object_r:etc_runtime_t,s0)