On 1/27/21 12:55 AM, Russell Coker wrote:
This patch has the changes that Dominick suggested and the things that
needed more discussion removed. I think it's ready to merge.
Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx>
@@ -967,8 +987,14 @@ tunable_policy(`systemd_nspawn_labeled_n
# manage etc symlinks for /etc/localtime
files_manage_etc_symlinks(systemd_nspawn_t)
files_mounton_runtime_dirs(systemd_nspawn_t)
+ files_mounton_kernel_symbol_table(systemd_nspawn_t)
files_search_home(systemd_nspawn_t)
[...]
@@ -986,6 +1012,7 @@ tunable_policy(`systemd_nspawn_labeled_n
selinux_getattr_fs(systemd_nspawn_t)
selinux_remount_fs(systemd_nspawn_t)
selinux_search_fs(systemd_nspawn_t)
+ selinux_mounton_fs(systemd_nspawn_t)
init_domtrans(systemd_nspawn_t)
I think I'm ok with the other rules, but this makes me think. We already have
several mount points that nspawn is using and it seems like a slippery slope.
While conceivably you could make nspawn mount anywhere, maybe this is a
candidate for mounting on all init_mountpoint_type ?
--
Chris PeBenito
