Nicolas Iooss 50b9886061 init: allow systemd to mount over /dev/kmsg and /proc/kmsg ... When spawning services such as systemd-timedated with systemd 244, systemd now mounts an inaccessible directory on /dev/kmsg and /proc/kmsg: type=AVC msg=audit(1576535711.579:363): avc: denied { mounton } for pid=1497 comm="(imedated)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=9055 scontext=system_u:system_r:init_t tcontext=system_u:object_r:kmsg_device_t tclass=chr_file permissive=1 type=AVC msg=audit(1576535711.583:364): avc: denied { getattr } for pid=1497 comm="(imedated)" path="/run/systemd/unit-root/proc/kmsg" dev="proc" ino=4026532027 scontext=system_u:system_r:init_t tcontext=system_u:object_r:proc_kmsg_t tclass=file permissive=1 type=AVC msg=audit(1576535711.589:365): avc: denied { mounton } for pid=1497 comm="(imedated)" path="/run/systemd/unit-root/proc/kmsg" dev="proc" ino=4026532027 scontext=system_u:system_r:init_t tcontext=system_u:object_r:proc_kmsg_t tclass=file permissive=1 Running "findmnt" in the resulting mount namespace shows: |-/dev dev devtmpfs rw,... | `-/dev/kmsg run[/systemd/inaccessible/chr] tmpfs ro,... |-/proc proc proc rw,... | `-/proc/kmsg run[/systemd/inaccessible/reg] tmpfs ro,... Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>		2019-12-22 17:29:58 +01:00
..
admin	various: Module version bump.	2019-11-23 09:54:36 -05:00
apps	gpg, systemd: Module version bump.	2019-10-03 19:05:05 -04:00
kernel	init: allow systemd to mount over /dev/kmsg and /proc/kmsg	2019-12-22 17:29:58 +01:00
roles	various: Module version bump.	2019-09-07 16:58:51 -04:00
services	various: Module version bump.	2019-11-23 09:54:36 -05:00
system	init: allow systemd to mount over /dev/kmsg and /proc/kmsg	2019-12-22 17:29:58 +01:00