From: guido@trentalancia.com (Guido Trentalancia)
Date: Wed, 20 Jun 2012 23:22:05 +0200
Subject: [refpolicy] [PATCH v2]: allow mount to write to all of its
 runtime files
In-Reply-To: <1340207211.9690.5.camel@x220.mydomain.internal>
References: <201206151635.q5FGZvOD021663@vivaldi13.register.it>
	<4FE1DAAD.2000802@tresys.com> <1340206191.3570.2.camel@vortex>
	<1340207211.9690.5.camel@x220.mydomain.internal>
Message-ID: <1340227325.23287.7.camel@vortex>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello Dominick.

On Wed, 2012-06-20 at 17:46 +0200, Dominick Grift wrote:
> On Wed, 2012-06-20 at 17:29 +0200, Guido Trentalancia wrote:
> > On Wed, 2012-06-20 at 10:14 -0400, Christopher J. PeBenito wrote:
> > > On 06/15/12 12:35, Guido Trentalancia wrote:
> > 
> > [cut]
> > 
> > > > --- refpolicy-04062012/policy/modules/kernel/files.fc	2012-06-15 19:33:36.615158614 +0200
> > > > +++ refpolicy-file-contexts/policy/modules/kernel/files.fc	2012-06-15 19:32:42.001703874 +0200
> > > > @@ -54,6 +54,9 @@ ifdef(`distro_suse',`
> > > >  /etc/killpower		--	gen_context(system_u:object_r:etc_runtime_t,s0)
> > > >  /etc/localtime		-l	gen_context(system_u:object_r:etc_t,s0)
> > > >  /etc/mtab		--	gen_context(system_u:object_r:etc_runtime_t,s0)
> > > > +/etc/mtab~		--	gen_context(system_u:object_r:etc_runtime_t,s0)
> > > > +/etc/mtab~[0-9]+	--	gen_context(system_u:object_r:etc_runtime_t,s0)

[cut]

> Why not just do "/etc/mtab.*  -- ..." and get it over with?
> 
> Anyways, seems nowadays /etc/mtab is a symlink to /?roc/mounts

They are not exactly the same thing.

And not all systems are necessarily using /proc/mounts.

Finally, the lock files are always created in /etc as /proc/mounts is
just a kernel-generated substitute for /etc/mtab.

So, it should work both ways (for /etc/mtab) and it should support the
lock files and the temporary file.

Regards,

Guido