* [refpolicy] PATCH: allow mount to write to all of its runtime files
@ 2012-06-15 16:35 Guido Trentalancia
2012-06-20 14:14 ` Christopher J. PeBenito
0 siblings, 1 reply; 5+ messages in thread
From: Guido Trentalancia @ 2012-06-15 16:35 UTC (permalink / raw)
To: refpolicy
Allow mount to write not only to /etc/mtab but also to the /etc/mtab~[0-9]{0,20}
lock files (the number corresponds to the PID). Such files are still mistakenly
being labelled as etc_t instead of etc_runtime_t (thus preventing the successful
completion of the write operation and the accumulation of unremovable stale lock
files over several operation attempts as in normal system reboots, for example).
Do the same with the standard mount temporary file /etc/mtab.tmp.
The above refers to mount from util-linux-2.21.2 from kernel.org. See mount -vvv
for the location of such files.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/kernel/files.fc | 3 +++
1 file changed, 3 insertions(+)
--- refpolicy-04062012/policy/modules/kernel/files.fc 2012-06-15 19:33:36.615158614 +0200
+++ refpolicy-file-contexts/policy/modules/kernel/files.fc 2012-06-15 19:32:42.001703874 +0200
@@ -54,6 +54,9 @@ ifdef(`distro_suse',`
/etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/mtab~ -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/mtab~[0-9]+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/mtab.tmp -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/mtab.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
^ permalink raw reply [flat|nested] 5+ messages in thread* [refpolicy] PATCH: allow mount to write to all of its runtime files 2012-06-15 16:35 [refpolicy] PATCH: allow mount to write to all of its runtime files Guido Trentalancia @ 2012-06-20 14:14 ` Christopher J. PeBenito 2012-06-20 15:29 ` [refpolicy] [PATCH v2]: " Guido Trentalancia 0 siblings, 1 reply; 5+ messages in thread From: Christopher J. PeBenito @ 2012-06-20 14:14 UTC (permalink / raw) To: refpolicy On 06/15/12 12:35, Guido Trentalancia wrote: > Allow mount to write not only to /etc/mtab but also to the /etc/mtab~[0-9]{0,20} > lock files (the number corresponds to the PID). Such files are still mistakenly > being labelled as etc_t instead of etc_runtime_t (thus preventing the successful > completion of the write operation and the accumulation of unremovable stale lock > files over several operation attempts as in normal system reboots, for example). > > Do the same with the standard mount temporary file /etc/mtab.tmp. > > The above refers to mount from util-linux-2.21.2 from kernel.org. See mount -vvv > for the location of such files. > > Signed-off-by: Guido Trentalancia <guido@trentalancia.com> > --- > policy/modules/kernel/files.fc | 3 +++ > 1 file changed, 3 insertions(+) > > --- refpolicy-04062012/policy/modules/kernel/files.fc 2012-06-15 19:33:36.615158614 +0200 > +++ refpolicy-file-contexts/policy/modules/kernel/files.fc 2012-06-15 19:32:42.001703874 +0200 > @@ -54,6 +54,9 @@ ifdef(`distro_suse',` > /etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0) > /etc/localtime -l gen_context(system_u:object_r:etc_t,s0) > /etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0) > +/etc/mtab~ -- gen_context(system_u:object_r:etc_runtime_t,s0) > +/etc/mtab~[0-9]+ -- gen_context(system_u:object_r:etc_runtime_t,s0) why not just merge these two lines into /etc/mtab~[0-9]* ? -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH v2]: allow mount to write to all of its runtime files 2012-06-20 14:14 ` Christopher J. PeBenito @ 2012-06-20 15:29 ` Guido Trentalancia 2012-06-20 15:46 ` Dominick Grift 0 siblings, 1 reply; 5+ messages in thread From: Guido Trentalancia @ 2012-06-20 15:29 UTC (permalink / raw) To: refpolicy On Wed, 2012-06-20 at 10:14 -0400, Christopher J. PeBenito wrote: > On 06/15/12 12:35, Guido Trentalancia wrote: [cut] > > --- refpolicy-04062012/policy/modules/kernel/files.fc 2012-06-15 19:33:36.615158614 +0200 > > +++ refpolicy-file-contexts/policy/modules/kernel/files.fc 2012-06-15 19:32:42.001703874 +0200 > > @@ -54,6 +54,9 @@ ifdef(`distro_suse',` > > /etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0) > > /etc/localtime -l gen_context(system_u:object_r:etc_t,s0) > > /etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0) > > +/etc/mtab~ -- gen_context(system_u:object_r:etc_runtime_t,s0) > > +/etc/mtab~[0-9]+ -- gen_context(system_u:object_r:etc_runtime_t,s0) > > why not just merge these two lines into /etc/mtab~[0-9]* ? Yes, sure, you're right, here it is: Allow mount to write not only to /etc/mtab but also to the /etc/mtab~[0-9]\{0,20\} lock files (the number corresponds to the PID). Such files are still mistakenly being labelled as etc_t instead of etc_runtime_t (thus preventing the successful completion of the write operation and the accumulation of unremovable stale lock files over several operation attempts as in normal system reboots, for example). Do the same with the standard mount temporary file /etc/mtab.tmp. The above refers to mount from util-linux-2.21.2 from kernel.org. See mount -vvv for the location of such files. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/kernel/files.fc | 2 ++ 1 file changed, 2 insertions(+) --- refpolicy-04062012/policy/modules/kernel/files.fc 2012-06-15 19:33:36.615158614 +0200 +++ refpolicy-04062012-allow-mount-write-mtab-lock-files/policy/modules/kernel/files.fc 2012-06-20 17:18:53.677833852 +0200 @@ -54,6 +54,8 @@ ifdef(`distro_suse',` /etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/localtime -l gen_context(system_u:object_r:etc_t,s0) /etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0) +/etc/mtab~[0-9]* -- gen_context(system_u:object_r:etc_runtime_t,s0) +/etc/mtab\.tmp -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0) ^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH v2]: allow mount to write to all of its runtime files 2012-06-20 15:29 ` [refpolicy] [PATCH v2]: " Guido Trentalancia @ 2012-06-20 15:46 ` Dominick Grift 2012-06-20 21:22 ` Guido Trentalancia 0 siblings, 1 reply; 5+ messages in thread From: Dominick Grift @ 2012-06-20 15:46 UTC (permalink / raw) To: refpolicy On Wed, 2012-06-20 at 17:29 +0200, Guido Trentalancia wrote: > On Wed, 2012-06-20 at 10:14 -0400, Christopher J. PeBenito wrote: > > On 06/15/12 12:35, Guido Trentalancia wrote: > > [cut] > > > > --- refpolicy-04062012/policy/modules/kernel/files.fc 2012-06-15 19:33:36.615158614 +0200 > > > +++ refpolicy-file-contexts/policy/modules/kernel/files.fc 2012-06-15 19:32:42.001703874 +0200 > > > @@ -54,6 +54,9 @@ ifdef(`distro_suse',` > > > /etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0) > > > /etc/localtime -l gen_context(system_u:object_r:etc_t,s0) > > > /etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0) > > > +/etc/mtab~ -- gen_context(system_u:object_r:etc_runtime_t,s0) > > > +/etc/mtab~[0-9]+ -- gen_context(system_u:object_r:etc_runtime_t,s0) > > > > why not just merge these two lines into /etc/mtab~[0-9]* ? > > Yes, sure, you're right, here it is: > > Allow mount to write not only to /etc/mtab but also to the /etc/mtab~[0-9]\{0,20\} > lock files (the number corresponds to the PID). Such files are still mistakenly > being labelled as etc_t instead of etc_runtime_t (thus preventing the successful > completion of the write operation and the accumulation of unremovable stale lock > files over several operation attempts as in normal system reboots, for example). > > Do the same with the standard mount temporary file /etc/mtab.tmp. > > The above refers to mount from util-linux-2.21.2 from kernel.org. See mount -vvv > for the location of such files. > > Signed-off-by: Guido Trentalancia <guido@trentalancia.com> > --- > policy/modules/kernel/files.fc | 2 ++ > 1 file changed, 2 insertions(+) > > --- refpolicy-04062012/policy/modules/kernel/files.fc 2012-06-15 19:33:36.615158614 +0200 > +++ refpolicy-04062012-allow-mount-write-mtab-lock-files/policy/modules/kernel/files.fc 2012-06-20 17:18:53.677833852 +0200 > @@ -54,6 +54,8 @@ ifdef(`distro_suse',` > /etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0) > /etc/localtime -l gen_context(system_u:object_r:etc_t,s0) > /etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0) > + > +/etc/mtab\.tmp -- gen_context(system_u:object_r:etc_runtime_t,s0) > /etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0) > /etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0) > /etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0) > Why not just do "/etc/mtab.* -- ..." and get it over with? Anyways, seems nowadays /etc/mtab is a symlink to /?roc/mounts > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy ^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH v2]: allow mount to write to all of its runtime files 2012-06-20 15:46 ` Dominick Grift @ 2012-06-20 21:22 ` Guido Trentalancia 0 siblings, 0 replies; 5+ messages in thread From: Guido Trentalancia @ 2012-06-20 21:22 UTC (permalink / raw) To: refpolicy Hello Dominick. On Wed, 2012-06-20 at 17:46 +0200, Dominick Grift wrote: > On Wed, 2012-06-20 at 17:29 +0200, Guido Trentalancia wrote: > > On Wed, 2012-06-20 at 10:14 -0400, Christopher J. PeBenito wrote: > > > On 06/15/12 12:35, Guido Trentalancia wrote: > > > > [cut] > > > > > > --- refpolicy-04062012/policy/modules/kernel/files.fc 2012-06-15 19:33:36.615158614 +0200 > > > > +++ refpolicy-file-contexts/policy/modules/kernel/files.fc 2012-06-15 19:32:42.001703874 +0200 > > > > @@ -54,6 +54,9 @@ ifdef(`distro_suse',` > > > > /etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0) > > > > /etc/localtime -l gen_context(system_u:object_r:etc_t,s0) > > > > /etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0) > > > > +/etc/mtab~ -- gen_context(system_u:object_r:etc_runtime_t,s0) > > > > +/etc/mtab~[0-9]+ -- gen_context(system_u:object_r:etc_runtime_t,s0) [cut] > Why not just do "/etc/mtab.* -- ..." and get it over with? > > Anyways, seems nowadays /etc/mtab is a symlink to /?roc/mounts They are not exactly the same thing. And not all systems are necessarily using /proc/mounts. Finally, the lock files are always created in /etc as /proc/mounts is just a kernel-generated substitute for /etc/mtab. So, it should work both ways (for /etc/mtab) and it should support the lock files and the temporary file. Regards, Guido ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2012-06-20 21:22 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2012-06-15 16:35 [refpolicy] PATCH: allow mount to write to all of its runtime files Guido Trentalancia 2012-06-20 14:14 ` Christopher J. PeBenito 2012-06-20 15:29 ` [refpolicy] [PATCH v2]: " Guido Trentalancia 2012-06-20 15:46 ` Dominick Grift 2012-06-20 21:22 ` Guido Trentalancia
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.