[PATCH 34/67] policycoreutils: sandbox: FIXME do not bind mount so

Daniel J Walsh <dwalsh@xxxxxxxxxx> · Thu, 15 Sep 2011 15:44:13 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


This patch looks good to me. acked.

pam_namespace and sandbox both do the bind mounts internally now.  No
reason to force this on everyone.  Hopefully the sandbox init script
will be disappearing with systemd doing this by default.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5yVYwACgkQrlYvE4MpobMk0wCfX1XvN0N5XF8FKniNiH+h4763
VNoAoIheFq+CdghKZwWTlfGFW0qPkR+s
=9n8c
-----END PGP SIGNATURE-----
>From 74efe512574f2b44d9bbd487eb5dcc68d66f1989 Mon Sep 17 00:00:00 2001
From: Eric Paris <eparis@xxxxxxxxxx>
Date: Mon, 8 Aug 2011 15:47:43 -0400
Subject: [PATCH 34/67] policycoreutils: sandbox: FIXME do not bind mount so
 much

Why not?

NOT-Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
---
 policycoreutils/sandbox/sandbox.init |   26 ++++++--------------------
 1 files changed, 6 insertions(+), 20 deletions(-)

diff --git a/policycoreutils/sandbox/sandbox.init b/policycoreutils/sandbox/sandbox.init
index ff8b3ef..66aadfd 100644
--- a/policycoreutils/sandbox/sandbox.init
+++ b/policycoreutils/sandbox/sandbox.init
@@ -10,17 +10,12 @@
 #
 # chkconfig: 345 1 99
 #
-# Description: sandbox and other apps that want to use pam_namespace 
-#              on /var/tmp, /tmp and home directories, requires this script
-#              to be run at boot time.
-#              This script sets up the / mount point and all of its 
-#              subdirectories as shared. The script sets up
-#              /tmp, /var/tmp, /home and any homedirs listed in 
-#              /etc/sysconfig/sandbox and all of their subdirectories 
-#              as unshared.
-#              All processes that use pam_namespace will see 
-#              modifications to the global mountspace, except for the
-#              unshared directories.
+# description: sandbox, xguest and other apps that want to use pam_namespace \
+#              require this script be run at boot.  This service script does \
+#              not actually run any service but sets up: \
+#              /var/tmp, /tmp and home directories to be used by these tools.\
+#              If you do not use sandbox, xguest or pam_namespace you can turn \
+#              this service off.\
 #
 
 # Source function library.
@@ -41,15 +36,6 @@ start() {
 
 	touch $LOCKFILE
 	mount --make-rshared / || return $? 
-	mount --rbind /tmp /tmp || return $?
-	mount --rbind /var/tmp /var/tmp || return $?
-	mount --make-private /tmp || return $?
-	mount --make-private /var/tmp || return $?
-	for h in $HOMEDIRS; do
-	    mount --rbind $h $h || return $?
-	    mount --make-private $h || return $?
-	done
-
 	return 0
 }
 
-- 
1.7.6.2





