On systems such as Arch Linux, all programs which are usually located in
/bin, /sbin, /usr/bin and /usr/sbin are present in /usr/bin and the
other locations are symbolic links to this directory. With such a
configuration, the file contexts which define types for files in
/bin, /sbin and /usr/sbin need to be duplicated to provide definitions
for /usr/bin/...
As the "/bin vs. /usr/bin" part of the needed definitions has already
been done with the "usr merge" patches, the next step consists in
duplicating file contexts for /usr/sbin. This is what this patch does
for all modules which are not in contrib.
This is the second iteration of an idea I have previously posted on
http://oss.tresys.com/pipermail/refpolicy/2017-March/009176.html
mount.fc defines file contexts for /usr/bin/mount.*, /usr/bin/umount.*
and /usr/sbin/mount\.zfs. These patterns are not consistent for two
reasons:
- some distributions use /sbin/mount... for other file systems that zfs.
For example Debian uses /sbin/mount.ntfs-3g
(https://packages.debian.org/jessie/amd64/ntfs-3g/filelist)
- mount_exec_t type should only be applied to mount, umount, mount.$FS
and umount.udisks2, not mountpoint.
Replace the file patterns with ones that do not match mountpoint and
match every mount and umount programs in /usr/bin and /usr/sbin.
Some policy modules define file contexts in /bin, /sbin and /lib without
defining similar file contexts in the same directory under /usr.
Add these missing file contexts when there are outside ifdef blocks.
Remove file context aliases and update file context paths to use the /run filesystem path.
Add backward compatibility file context alias for /var/run using applications like https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783321
Lock files are still seated at /var/lock
Nicolas Iooss
Chris PeBenito
cgzones
Chris PeBenito
Matthew Thode
Laurent Bigonville