On 2/5/21 9:31 PM, Chris PeBenito wrote: > On 2/5/21 3:18 PM, Dominick Grift wrote: >> Chris PeBenito <pebenito@xxxxxxxx> writes: >>> On 2/2/21 10:31 PM, Russell Coker wrote: >>>> Lots of littls changes related to systemd. >>>> Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx> > >>>> @@ -925,14 +1001,26 @@ allow systemd_nspawn_t systemd_nspawn_tm >>>> # for /run/systemd/nspawn/incoming in chroot >>>> allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton; >>>> +kernel_getattr_core_if(systemd_nspawn_t) >>>> +kernel_getattr_proc(systemd_nspawn_t) >>>> +kernel_getattr_unlabeled_dirs(systemd_nspawn_t) >>>> + >>>> kernel_mount_proc(systemd_nspawn_t) >>>> kernel_mounton_sysctl_dirs(systemd_nspawn_t) >>>> kernel_mounton_kernel_sysctl_files(systemd_nspawn_t) >>>> kernel_mounton_message_if(systemd_nspawn_t) >>>> kernel_mounton_proc(systemd_nspawn_t) >>>> +kernel_mounton_sysctl_files(systemd_nspawn_t) >>>> +kernel_mounton_unlabeled_dirs(systemd_nspawn_t) >>> >>> With all of the mounting, perhaps we should consider coalescing on >>> allowing it to mount an all init_mountpoint_types. >> >> mounton unlabeled dirs indicates that something is unlabeled/mislabeled >> though. Wouldnt allow that. > > Yes I agree. I noticed all the mountons but didn't notice this specific > one. > I know how that goes, i probably "reviewed" this patch and overlooked this wrole wtuff ... >
