mount.fc defines file contexts for /usr/bin/mount.*, /usr/bin/umount.*
and /usr/sbin/mount\.zfs. These patterns are not consistent for two
reasons:
- some distributions use /sbin/mount... for other file systems that zfs.
For example Debian uses /sbin/mount.ntfs-3g
(https://packages.debian.org/jessie/amd64/ntfs-3g/filelist)
- mount_exec_t type should only be applied to mount, umount, mount.$FS
and umount.udisks2, not mountpoint.
Replace the file patterns with ones that do not match mountpoint and
match every mount and umount programs in /usr/bin and /usr/sbin.
This patch doesn't do everything that is needed to have systemd-nspawn work.
But it does everything that is needed and which I have written in a clear and
uncontroversial way. I think it's best to get this upstream now and then
either have a separate discussion about the more difficult issues, or wait
until I devise a way of solving those problems that's not too hacky.
Who knows, maybe someone else will devise a brilliant solution to the remaining
issues after this is accepted upstream.
Also there's a tiny patch for systemd_machined_t that is required by
systemd_nspawn_t.
Description: systemd-nspawn
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-03-29
I believe that I have addressed all the issues Chris raised, so here's a newer
version of the patch which applies to today's git version.
Description: systemd-resolved, sessions, and tmpfiles patches
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-03-26
Here's the latest version of my patch to remove all /var/run when it's not
needed. I have removed the subst thing from the patch, but kept a
distro_debian bit that relies on it. So with this patch the policy won't
install if you build it with distro_debian unless you have my subst patch.
Chris, if your automated tests require that it build and install with
distro_debian then skip the patch for sysnetwork.fc.
From Russell Coker
* reorder file contexts
* rename getty_var_run_t into getty_runtime_t and getty_etc_t into getty_conf_t
* remove unneeded and confusing init permissions
* delete access on generic pids
* remove invalid etc filetrans: getty has no create permissions for its config files
* restrict logfile access
These are needed by several patches I'm about to send.
Description: some new interfaces for init/systemd
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-02-24
When with systemd a program does not ship a systemd unit file but only a init script, systemd creates a pseudo service on the fly.
To be able to act on this service, add the target attribute init_script_file_type to the init_ACTION_all_units interfaces.
Useful for monit.
Nicolas Iooss
Chris PeBenito
cgzones
Jason Zaman
Russell Coker