Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2268034pxb; Fri, 5 Feb 2021 13:17:38 -0800 (PST) X-Google-Smtp-Source: ABdhPJxPZVPF4GR068edneta2PPSdhDcsYHuYqv7w5jMkKgjHMOxR467deQWunupUfS1G8ZpqSwc X-Received: by 2002:a05:6402:104e:: with SMTP id e14mr5596449edu.316.1612559858694; Fri, 05 Feb 2021 13:17:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612559858; cv=none; d=google.com; s=arc-20160816; b=hZ3dOh12a7wMmXh1B6n3NSp4is1UiqfbAhbnc6nb7ogy/QB72v/rcpX7KE59zC4tux wBumvjdK/SGL4M0PbZht5UVE8AoAt1ekhascOtKKHngP4pQfoF4oItiAh+IP/azO/10E urNUBpMD5bJAZ0gI4o3Xe6Vs3BUGOVGJQTCtC25OijzGcDSohh5KQDzKvTdag7gWxccM R1qwsVkbf30O+2Xg9J7slh2heE2DOOIfXyoTLnRHNGrl4mUNZcRQFBDEeHghN8xtkt8E rxC4oXE1B5zDHNEBEzGxBP6v6skaSkc5JEX6Sg6J41MpmYPorr/qbjJ/exN92NFvSR4j 4vWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature:dkim-filter; bh=bleYprKAVdgot0FU8bIPoMLNWGRBubp1F0AvclpxDUo=; b=v/Z9tp4TNzSWtQniNtEAaCidSqnlZO2R9/ajPn3H5dEyYxj4KqB3QIc8JytalyUZpy HFeL18I1gnsuDvo6BK4b/qvsry+UJ6ae5RGTP/MgeZYNI73mLyJ9T0A6Cln3DOYV5Dtp B5e5AYYiv+Gj4pq5n4oKQLGpZxzQzLLjhNGUyIK8enXnEyQFhCujDGcgJDkAxf11E0cE c3kdubZzTG1s8Phol236Y0YCRubA0C6tgBrHN9SBdNlbwtRKJ8IxDfaZUvmESEymDnvm 8j4hC7uN2TL/vIWCv46Vu7FnnYl14qHRvTVSnOqW3teotDCLtzZG5B1rv0ZZIcUkO5ek ASUw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b="nU/EgpZh"; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bd14si6224552edb.587.2021.02.05.13.17.32; Fri, 05 Feb 2021 13:17:38 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b="nU/EgpZh"; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233064AbhBEVQC (ORCPT + 16 others); Fri, 5 Feb 2021 16:16:02 -0500 Received: from agnus.defensec.nl ([80.100.19.56]:50996 "EHLO agnus.defensec.nl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233657AbhBETDy (ORCPT ); Fri, 5 Feb 2021 14:03:54 -0500 Received: from [IPv6:2001:985:d55d::438] (brutus.lan [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id 931322A12B5; Fri, 5 Feb 2021 21:45:35 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl 931322A12B5 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl; s=default; t=1612557936; bh=bleYprKAVdgot0FU8bIPoMLNWGRBubp1F0AvclpxDUo=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=nU/EgpZhRzKm/03lBqiY06iSgx3KcmzKqBPpRYeUHbTSSr3E3hX7tZMdtfOGMwOzt Y282kcejSIwjL/3B9o3hmCfdH5JOtpH0G8AikFRdW4da5xEUKqteDqwdOqVMlcsbqM 4lIDLxNKSX7Dhfb6tYpfkxN0IyZvZyrPuZkAiUGg= Subject: Re: [PATCH] another systemd misc patch To: Chris PeBenito Cc: Russell Coker , selinux-refpolicy@vger.kernel.org References: <8e419ea2-1ba4-5b44-16ae-8fbe80cacf18@ieee.org> <0c8ef4b6-893a-134c-d8ba-c0a6af4e8638@ieee.org> From: Dominick Grift Message-ID: Date: Fri, 5 Feb 2021 21:45:32 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: <0c8ef4b6-893a-134c-d8ba-c0a6af4e8638@ieee.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 2/5/21 9:31 PM, Chris PeBenito wrote: > On 2/5/21 3:18 PM, Dominick Grift wrote: >> Chris PeBenito writes: >>> On 2/2/21 10:31 PM, Russell Coker wrote: >>>> Lots of littls changes related to systemd. >>>> Signed-off-by: Russell Coker > >>>> @@ -925,14 +1001,26 @@ allow systemd_nspawn_t systemd_nspawn_tm >>>>    # for /run/systemd/nspawn/incoming in chroot >>>>    allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton; >>>>    +kernel_getattr_core_if(systemd_nspawn_t) >>>> +kernel_getattr_proc(systemd_nspawn_t) >>>> +kernel_getattr_unlabeled_dirs(systemd_nspawn_t) >>>> + >>>>    kernel_mount_proc(systemd_nspawn_t) >>>>    kernel_mounton_sysctl_dirs(systemd_nspawn_t) >>>>    kernel_mounton_kernel_sysctl_files(systemd_nspawn_t) >>>>    kernel_mounton_message_if(systemd_nspawn_t) >>>>    kernel_mounton_proc(systemd_nspawn_t) >>>> +kernel_mounton_sysctl_files(systemd_nspawn_t) >>>> +kernel_mounton_unlabeled_dirs(systemd_nspawn_t) >>> >>> With all of the mounting, perhaps we should consider coalescing on >>> allowing it to mount an all init_mountpoint_types. >> >> mounton unlabeled dirs indicates that something is unlabeled/mislabeled >> though. Wouldnt allow that. > > Yes I agree.  I noticed all the mountons but didn't notice this specific > one. > I know how that goes, i probably "reviewed" this patch and overlooked this wrole wtuff ... >