Allow mount to write not only to /etc/mtab but also to the /etc/mtab~[0-9]{0,20}
lock files (the number corresponds to the PID). Such files are still mistakenly
being labelled as etc_t instead of etc_runtime_t (thus preventing the successful
completion of the write operation and the accumulation of unremovable stale lock
files over several operation attempts as in normal system reboots, for example).
Do the same with the standard mount temporary file /etc/mtab.tmp.
The above refers to mount from util-linux-2.21.2 from kernel.org. See mount -vvv
for the location of such files.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/kernel/files.fc | 3 +++
1 file changed, 3 insertions(+)
--- refpolicy-04062012/policy/modules/kernel/files.fc 2012-06-15 19:33:36.615158614 +0200
+++ refpolicy-file-contexts/policy/modules/kernel/files.fc 2012-06-15 19:32:42.001703874 +0200
@@ -54,6 +54,9 @@ ifdef(`distro_suse',`
/etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/mtab~ -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/mtab~[0-9]+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/mtab.tmp -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/mtab.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
On 06/15/12 12:35, Guido Trentalancia wrote:
> Allow mount to write not only to /etc/mtab but also to the /etc/mtab~[0-9]{0,20}
> lock files (the number corresponds to the PID). Such files are still mistakenly
> being labelled as etc_t instead of etc_runtime_t (thus preventing the successful
> completion of the write operation and the accumulation of unremovable stale lock
> files over several operation attempts as in normal system reboots, for example).
>
> Do the same with the standard mount temporary file /etc/mtab.tmp.
>
> The above refers to mount from util-linux-2.21.2 from kernel.org. See mount -vvv
> for the location of such files.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/kernel/files.fc | 3 +++
> 1 file changed, 3 insertions(+)
>
> --- refpolicy-04062012/policy/modules/kernel/files.fc 2012-06-15 19:33:36.615158614 +0200
> +++ refpolicy-file-contexts/policy/modules/kernel/files.fc 2012-06-15 19:32:42.001703874 +0200
> @@ -54,6 +54,9 @@ ifdef(`distro_suse',`
> /etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
> /etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
> /etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
> +/etc/mtab~ -- gen_context(system_u:object_r:etc_runtime_t,s0)
> +/etc/mtab~[0-9]+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
why not just merge these two lines into /etc/mtab~[0-9]* ?
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Wed, 2012-06-20 at 10:14 -0400, Christopher J. PeBenito wrote:
> On 06/15/12 12:35, Guido Trentalancia wrote:
[cut]
> > --- refpolicy-04062012/policy/modules/kernel/files.fc 2012-06-15 19:33:36.615158614 +0200
> > +++ refpolicy-file-contexts/policy/modules/kernel/files.fc 2012-06-15 19:32:42.001703874 +0200
> > @@ -54,6 +54,9 @@ ifdef(`distro_suse',`
> > /etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
> > /etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
> > /etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
> > +/etc/mtab~ -- gen_context(system_u:object_r:etc_runtime_t,s0)
> > +/etc/mtab~[0-9]+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
>
> why not just merge these two lines into /etc/mtab~[0-9]* ?
Yes, sure, you're right, here it is:
Allow mount to write not only to /etc/mtab but also to the /etc/mtab~[0-9]\{0,20\}
lock files (the number corresponds to the PID). Such files are still mistakenly
being labelled as etc_t instead of etc_runtime_t (thus preventing the successful
completion of the write operation and the accumulation of unremovable stale lock
files over several operation attempts as in normal system reboots, for example).
Do the same with the standard mount temporary file /etc/mtab.tmp.
The above refers to mount from util-linux-2.21.2 from kernel.org. See mount -vvv
for the location of such files.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/kernel/files.fc | 2 ++
1 file changed, 2 insertions(+)
--- refpolicy-04062012/policy/modules/kernel/files.fc 2012-06-15 19:33:36.615158614 +0200
+++ refpolicy-04062012-allow-mount-write-mtab-lock-files/policy/modules/kernel/files.fc 2012-06-20 17:18:53.677833852 +0200
@@ -54,6 +54,8 @@ ifdef(`distro_suse',`
/etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/mtab~[0-9]* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/mtab\.tmp -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
On Wed, 2012-06-20 at 17:29 +0200, Guido Trentalancia wrote:
> On Wed, 2012-06-20 at 10:14 -0400, Christopher J. PeBenito wrote:
> > On 06/15/12 12:35, Guido Trentalancia wrote:
>
> [cut]
>
> > > --- refpolicy-04062012/policy/modules/kernel/files.fc 2012-06-15 19:33:36.615158614 +0200
> > > +++ refpolicy-file-contexts/policy/modules/kernel/files.fc 2012-06-15 19:32:42.001703874 +0200
> > > @@ -54,6 +54,9 @@ ifdef(`distro_suse',`
> > > /etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
> > > /etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
> > > /etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
> > > +/etc/mtab~ -- gen_context(system_u:object_r:etc_runtime_t,s0)
> > > +/etc/mtab~[0-9]+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
> >
> > why not just merge these two lines into /etc/mtab~[0-9]* ?
>
> Yes, sure, you're right, here it is:
>
> Allow mount to write not only to /etc/mtab but also to the /etc/mtab~[0-9]\{0,20\}
> lock files (the number corresponds to the PID). Such files are still mistakenly
> being labelled as etc_t instead of etc_runtime_t (thus preventing the successful
> completion of the write operation and the accumulation of unremovable stale lock
> files over several operation attempts as in normal system reboots, for example).
>
> Do the same with the standard mount temporary file /etc/mtab.tmp.
>
> The above refers to mount from util-linux-2.21.2 from kernel.org. See mount -vvv
> for the location of such files.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/kernel/files.fc | 2 ++
> 1 file changed, 2 insertions(+)
>
> --- refpolicy-04062012/policy/modules/kernel/files.fc 2012-06-15 19:33:36.615158614 +0200
> +++ refpolicy-04062012-allow-mount-write-mtab-lock-files/policy/modules/kernel/files.fc 2012-06-20 17:18:53.677833852 +0200
> @@ -54,6 +54,8 @@ ifdef(`distro_suse',`
> /etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
> /etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
> /etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
> +
> +/etc/mtab\.tmp -- gen_context(system_u:object_r:etc_runtime_t,s0)
> /etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
> /etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
> /etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
>
Why not just do "/etc/mtab.* -- ..." and get it over with?
Anyways, seems nowadays /etc/mtab is a symlink to /?roc/mounts
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
Hello Dominick.
On Wed, 2012-06-20 at 17:46 +0200, Dominick Grift wrote:
> On Wed, 2012-06-20 at 17:29 +0200, Guido Trentalancia wrote:
> > On Wed, 2012-06-20 at 10:14 -0400, Christopher J. PeBenito wrote:
> > > On 06/15/12 12:35, Guido Trentalancia wrote:
> >
> > [cut]
> >
> > > > --- refpolicy-04062012/policy/modules/kernel/files.fc 2012-06-15 19:33:36.615158614 +0200
> > > > +++ refpolicy-file-contexts/policy/modules/kernel/files.fc 2012-06-15 19:32:42.001703874 +0200
> > > > @@ -54,6 +54,9 @@ ifdef(`distro_suse',`
> > > > /etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
> > > > /etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
> > > > /etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
> > > > +/etc/mtab~ -- gen_context(system_u:object_r:etc_runtime_t,s0)
> > > > +/etc/mtab~[0-9]+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
[cut]
> Why not just do "/etc/mtab.* -- ..." and get it over with?
>
> Anyways, seems nowadays /etc/mtab is a symlink to /?roc/mounts
They are not exactly the same thing.
And not all systems are necessarily using /proc/mounts.
Finally, the lock files are always created in /etc as /proc/mounts is
just a kernel-generated substitute for /etc/mtab.
So, it should work both ways (for /etc/mtab) and it should support the
lock files and the temporary file.
Regards,
Guido