Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1132331pxb;
        Thu, 28 Jan 2021 08:43:19 -0800 (PST)
X-Google-Smtp-Source: ABdhPJydER9U1I4IYW1AhmUCsUszTXglvtaif9AdRiE/XJHJBBhIZ9FAeXLR6jGh+I7WfYbp8YXs
X-Received: by 2002:a17:906:3285:: with SMTP id 5mr249073ejw.356.1611852199609;
        Thu, 28 Jan 2021 08:43:19 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1611852199; cv=none;
        d=google.com; s=arc-20160816;
        b=aQW5majrUxhV02qyU8XQbMf2++NLss8QebiiOPOcGKZIjzc2iS46Fx3svoTFwkp69C
         4GZFs5F+cfQgnlB1yfEHYWbTaXXYDa0xdMKMqT87Xl0kw30CYXpSIgHaBRw0b4F4E1LP
         iifVw7kJaHSmvsU6/heLcbs0hqEzm8JRx3J/Liqwz6nLLb/jUzFx7EWuR38MvKxrnv4O
         TLcQDqrwtvAf7EphAkwpwH/FA7sbyz0IiymiX5d9oanGaanyqH5oetHKQ3WhtXiJ9rlw
         NQ/w9Iy/l+OtElDsb4ngk1Y99k6qZiyl9UW1hiCbN8qYZiNeV1LMuXvFdRwdeO+dhlmY
         DBHQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :in-reply-to:mime-version:user-agent:date:message-id:from:references
         :to:subject:dkim-signature;
        bh=c3eWV3p0s0ovOoen288gBOi/qqku3qZ+44My6hF9n4U=;
        b=xvMSymTIIFDqGiFHxT46UrjTU9fmezoCAAGGnTzJ8C6Bo8VVOk8NB/yEFhrKxEOU+Q
         TdeIXsZj21/AlGw5n4S0ZuYj3btY8L3eECdFpfckvALkgZEtMFZayPdaDSazI4Hfy8it
         GaG1hs0P9I6l9cp4IextY+zLMg4NtKinUPpAzFRbLYI8G0CzCkKCjes3d3l2QOO81tQR
         3/VflxU1djh5QksXvYqKljtsWpYjyeT6wEoc9YT9rt70k8DfocJ+XW+RYGxvkCVQg52j
         8Ub9rm4i/vgG/9y/tfIcUdRhaqgPOhP5GgOo0xPWq+9WQGuBjOxA5KZFbdERsDWUOLL9
         j3iw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ieee.org header.s=google header.b=QXZjZm2I;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id g10si3058024edu.189.2021.01.28.08.43.15;
        Thu, 28 Jan 2021 08:43:19 -0800 (PST)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ieee.org header.s=google header.b=QXZjZm2I;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232658AbhA1QlB (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 16 others); Thu, 28 Jan 2021 11:41:01 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42926 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232252AbhA1Qkv (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Thu, 28 Jan 2021 11:40:51 -0500
Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com [IPv6:2607:f8b0:4864:20::72e])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 01A1CC0613D6
        for <selinux-refpolicy@vger.kernel.org>; Thu, 28 Jan 2021 08:40:11 -0800 (PST)
Received: by mail-qk1-x72e.google.com with SMTP id l27so5820373qki.9
        for <selinux-refpolicy@vger.kernel.org>; Thu, 28 Jan 2021 08:40:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ieee.org; s=google;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-language:content-transfer-encoding;
        bh=c3eWV3p0s0ovOoen288gBOi/qqku3qZ+44My6hF9n4U=;
        b=QXZjZm2I0egpgwAej2hMUXXBwTrvDR423GtcYRk+w1x9FGQ1IZMmPXwHN8Zgad9War
         DYEiKUMeXvlvC9GWKB1ChtKLyPCytHXX/6dD7icy1ArqXIwWlZNeFcEX3lsEyAqoSQ7c
         pmxpexGeqaRQhBtIS1YnhWn/jRJQYm0Gy3LvM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=c3eWV3p0s0ovOoen288gBOi/qqku3qZ+44My6hF9n4U=;
        b=OoU+Crii1PAxY56PPcZs1+Rii2vvxWvzZngeXU8cuntNOTEwtmdfX5ymaeBsrC/LRw
         TbqEYPpHAUjrwc0DVU3bSZMGnmDqH21AGoNHKs8zFQ0d4GolvD4z55oiLz9psD2WscwH
         0sslZo3Wba7U8sMKd+gcpH/o6qizQE9Xm228pO4OvFNtUIO6csY+2NmCL36CU+KHe+5P
         mMxiegYh6k/SFpGCKl6iFUrG8LpmFa2+Nayf3gRZIkNTiRUftUyO9lLfbZibg/RhVGP3
         Sa6BgfQXgJLsIFPK2G5k0VSliQSov+edz46NjojKQCbMmgPjT2U4vXmqnD8CUk85kdnr
         QKYQ==
X-Gm-Message-State: AOAM5310EtTekTDJwSn0y9oDQrLtLs4wzUDo2knyXxjmDaLl63jgTTAl
        8puSsr9A+FmvSMcLREAnLHuEbFKhlLrWaw==
X-Received: by 2002:a05:620a:2239:: with SMTP id n25mr49144qkh.46.1611852009985;
        Thu, 28 Jan 2021 08:40:09 -0800 (PST)
Received: from fedora.pebenito.net (pool-96-234-173-17.bltmmd.fios.verizon.net. [96.234.173.17])
        by smtp.gmail.com with ESMTPSA id z8sm3775955qtu.10.2021.01.28.08.40.08
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Thu, 28 Jan 2021 08:40:09 -0800 (PST)
Subject: Re: [PATCH] misc kernel and system patches with Dominick's changes
To:     Russell Coker <russell@coker.com.au>,
        selinux-refpolicy@vger.kernel.org
References: <YBEANDbm26zwQ9aj@xev>
From:   Chris PeBenito <pebenito@ieee.org>
Message-ID: <fcf9ccd3-d31b-0597-5daa-75a4647a8435@ieee.org>
Date:   Thu, 28 Jan 2021 11:18:11 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.6.1
MIME-Version: 1.0
In-Reply-To: <YBEANDbm26zwQ9aj@xev>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

On 1/27/21 12:55 AM, Russell Coker wrote:
> This patch has the changes that Dominick suggested and the things that
> needed more discussion removed.  I think it's ready to merge.
> 
> 
> Signed-off-by: Russell Coker <russell@coker.com.au>


> @@ -967,8 +987,14 @@ tunable_policy(`systemd_nspawn_labeled_n
>   	# manage etc symlinks for /etc/localtime
>   	files_manage_etc_symlinks(systemd_nspawn_t)
>   	files_mounton_runtime_dirs(systemd_nspawn_t)
> +	files_mounton_kernel_symbol_table(systemd_nspawn_t)
>   	files_search_home(systemd_nspawn_t)
[...]
> @@ -986,6 +1012,7 @@ tunable_policy(`systemd_nspawn_labeled_n
>   	selinux_getattr_fs(systemd_nspawn_t)
>   	selinux_remount_fs(systemd_nspawn_t)
>   	selinux_search_fs(systemd_nspawn_t)
> +	selinux_mounton_fs(systemd_nspawn_t)
>   
>   	init_domtrans(systemd_nspawn_t)
>   

I think I'm ok with the other rules, but this makes me think.  We already have 
several mount points that nspawn is using and it seems like a slippery slope. 
While conceivably you could make nspawn mount anywhere, maybe this is a 
candidate for mounting on all init_mountpoint_type ?

-- 
Chris PeBenito