On 5 Mar 2017 12:02, "Russell Coker via refpolicy" <[email protected]>
wrote:
This patch changes the remaining /var/run instances to /run. There are
surprisingly few of them.
Index: refpolicy-2.20170303/policy/modules/contrib/iodine.fc
===================================================================
--- refpolicy-2.20170303.orig/policy/modules/contrib/iodine.fc
+++ refpolicy-2.20170303/policy/modules/contrib/iodine.fc
@@ -2,4 +2,4 @@
/usr/sbin/iodined -- gen_context(system_u:object_r:
iodined_exec_t,s0)
-/var/run/iodine(/.*)? gen_context(system_u:object_r:
iodined_var_run_t,s0)
+/run/iodine(/.*)? gen_context(system_u:object_r:
iodined_var_run_t,s0)
Index: refpolicy-2.20170303/policy/modules/contrib/mon.fc
===================================================================
--- refpolicy-2.20170303.orig/policy/modules/contrib/mon.fc
+++ refpolicy-2.20170303/policy/modules/contrib/mon.fc
@@ -5,7 +5,7 @@
/usr/sbin/mon -- gen_context(system_u:object_r:mon_exec_t,s0)
-/var/run/mon(/.*)? gen_context(system_u:object_r:
mon_var_run_t,s0)
+/run/mon(/.*)? gen_context(system_u:object_r:
mon_var_run_t,s0)
/var/lib/mon(/.*)? gen_context(system_u:object_r:
mon_var_lib_t,s0)
/var/log/mon(/.*)? gen_context(system_u:object_r:
mon_var_log_t,s0)
Index: refpolicy-2.20170303/policy/modules/contrib/qemu.fc
===================================================================
--- refpolicy-2.20170303.orig/policy/modules/contrib/qemu.fc
+++ refpolicy-2.20170303/policy/modules/contrib/qemu.fc
@@ -7,4 +7,4 @@
/usr/libexec/qemu.* -- gen_context(system_u:object_r:
qemu_exec_t,s0)
-/var/run/xen/qmp.* -- gen_context(system_u:object_r:
qemu_var_run_t,s0)
+/run/xen/qmp.* -- gen_context(system_u:object_r:
qemu_var_run_t,s0)
Index: refpolicy-2.20170303/policy/modules/kernel/files.fc
===================================================================
--- refpolicy-2.20170303.orig/policy/modules/kernel/files.fc
+++ refpolicy-2.20170303/policy/modules/kernel/files.fc
@@ -212,8 +212,7 @@ HOME_ROOT/lost\+found/.* <<none>>
/usr/tmp/.* <<none>>
ifdef(`distro_debian',`
-# on Debian /lib/init/rw is a tmpfs used like /var/run but
-# before /var is mounted
+# on Debian /lib/init/rw is a tmpfs used like /run
/usr/lib/init/rw(/.*)? gen_context(system_u:object_r:
var_run_t,s0-mls_systemhigh)
')
@@ -253,7 +252,6 @@ ifndef(`distro_redhat',`
/var/lost\+found -d gen_context(system_u:object_r:
lost_found_t,mls_systemhigh)
/var/lost\+found/.* <<none>>
-/var/run -d gen_context(system_u:object_r:
var_run_t,s0-mls_systemhigh)
I'd keep this. It can't hurt and I don't know if there are any edge cases
or if not everyone has it as a symlink.
/var/run -l gen_context(system_u:object_r:var_run_t,s0)
/var/spool(/.*)? gen_context(system_u:object_r:
var_spool_t,s0)
Index: refpolicy-2.20170303/policy/modules/system/logging.fc
===================================================================
--- refpolicy-2.20170303.orig/policy/modules/system/logging.fc
+++ refpolicy-2.20170303/policy/modules/system/logging.fc
@@ -55,7 +55,7 @@ ifdef(`distro_redhat',`
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
')
-/var/run/systemd/journal/stdout -s gen_context(system_u:object_r:
devlog_t,mls_systemhigh)
+/run/systemd/journal/stdout -s gen_context(system_u:object_r:
devlog_t,mls_systemhigh)
/run/audit_events -s gen_context(system_u:object_r:
auditd_var_run_t,mls_systemhigh)
/run/audispd_events -s gen_context(system_u:object_r:
audisp_var_run_t,mls_systemhigh)
Index: refpolicy-2.20170303/policy/modules/system/sysnetwork.fc
===================================================================
--- refpolicy-2.20170303.orig/policy/modules/system/sysnetwork.fc
+++ refpolicy-2.20170303/policy/modules/system/sysnetwork.fc
@@ -71,6 +71,6 @@ ifdef(`distro_gentoo',`
ifdef(`distro_debian',`
/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
-/var/run/resolvconf/.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/run/resolvconf/.* -- gen_context(system_u:object_r:net_conf_t,s0)
')
Index: refpolicy-2.20170303/policy/modules/system/systemd.fc
===================================================================
--- refpolicy-2.20170303.orig/policy/modules/system/systemd.fc
+++ refpolicy-2.20170303/policy/modules/system/systemd.fc
@@ -50,4 +50,4 @@
/run/tmpfiles\.d/kmod.conf gen_context(system_u:object_r:
systemd_kmod_conf_t,s0)
/var/log/journal(/.*)? gen_context(system_u:object_r:
systemd_journal_t,s0)
-/var/run/log/journal(/.*)? gen_context(system_u:object_r:
systemd_journal_t,s0)
+/run/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0)
Index: refpolicy-2.20170303/config/file_contexts.subs_dist
===================================================================
--- refpolicy-2.20170303.orig/config/file_contexts.subs_dist
+++ refpolicy-2.20170303/config/file_contexts.subs_dist
@@ -22,8 +22,3 @@
/usr/local/lib32 /usr/lib
/usr/local/lib64 /usr/lib
/usr/local/lib /usr/lib
-
-# backward compatibility
-# not for refpolicy intern, but for /var/run using applications,
-# like systemd tmpfiles or systemd socket configurations
-/var/run /run
This has to stay. It's for when other programs do stuff with /var/run.
Otherwise the labels would be wrong.
_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20170305/d0adb3a0/attachment.html
On Sun, 5 Mar 2017 03:30:53 PM Jason Zaman wrote:
> -# backward compatibility
> -# not for refpolicy intern, but for /var/run using applications,
> -# like systemd tmpfiles or systemd socket configurations
> -/var/run /run
>
>
> This has to stay. It's for when other programs do stuff with /var/run.
> Otherwise the labels would be wrong.
On Debian /var/run is a symlink to /run. Are there any distributions not
doing this?
Also please configure your MUA to use "> " at the start of each quoted line, it
makes your mail very difficult to read otherwise.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
On Sun, Mar 05, 2017 at 03:36:08PM +1100, Russell Coker wrote:
> On Sun, 5 Mar 2017 03:30:53 PM Jason Zaman wrote:
> > -# backward compatibility
> > -# not for refpolicy intern, but for /var/run using applications,
> > -# like systemd tmpfiles or systemd socket configurations
> > -/var/run /run
> >
> >
> > This has to stay. It's for when other programs do stuff with /var/run.
> > Otherwise the labels would be wrong.
>
> On Debian /var/run is a symlink to /run. Are there any distributions not
> doing this?
Not that i know of currently, but old installs might still be setup like
that?
>
> Also please configure your MUA to use "> " at the start of each quoted line, it
> makes your mail very difficult to read otherwise.
Ugh, yeah the gmail app on my phone was dumb. :(
-- Jason
>
> --
> My Main Blog http://etbe.coker.com.au/
> My Documents Blog http://doc.coker.com.au/
On Sun, 5 Mar 2017 05:21:03 PM Jason Zaman via refpolicy wrote:
> > > This has to stay. It's for when other programs do stuff with /var/run.
> > > Otherwise the labels would be wrong.
> >
> > On Debian /var/run is a symlink to /run. Are there any distributions
> > not doing this?
>
> Not that i know of currently, but old installs might still be setup like
> that?
Recent policies won't build on older versions of Debian, something about the
build scripts depends on recent utilities. I don't know if this is an
upstream issue or Debian specific because I haven't cared enough to check it
out.
My personal goal for compatibility is that things should work with a kernel or
policy from a version of Debian earlier or later than the current version -
but not with policy from a version earlier and kernel from a version later.
But this isn't a hard goal and such cross version support isn't demanded. I'm
happy to tell users "edit your tmpfiles.d files if you want to use a 2017+
policy with Debian/Stretch".
SE Linux is tightly integrated into a Linux system, essential things like ls,
cp, cron, sshd, and systemd link with SE Linux libraries. Upgrading a SE
Linux policy package drags in lots of dependencies, including versioned
dependencies. Upgrading a policy package while keeping any significant portion
of the rest of the system 2 versions behind might be impossible and puts you
at risk of breakage due to things like glibc and kernel inter-dependencies.
Not to mention the fact that no-one tests such differences of versions so even
if things theoretically should work they are likely to break due to not being
tested.
Now someone could compile a recent policy on an older system. But that's an
expert level task (it's something I wouldn't do due to it taking too much
effort and not providing enough benefit) and anyone who has the skills to
complete that will be able to fix minor things like /var/run labelling. They
will certainly have much bigger problems along the way.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
On 03/04/17 23:36, Russell Coker via refpolicy wrote:
> On Sun, 5 Mar 2017 03:30:53 PM Jason Zaman wrote:
>> -# backward compatibility
>> -# not for refpolicy intern, but for /var/run using applications,
>> -# like systemd tmpfiles or systemd socket configurations
>> -/var/run /run
>>
>>
>> This has to stay. It's for when other programs do stuff with /var/run.
>> Otherwise the labels would be wrong.
>
> On Debian /var/run is a symlink to /run. Are there any distributions not
> doing this?
I'd prefer to keep it. Is keeping it causing a problem?
--
Chris PeBenito
On Mon, 6 Mar 2017 12:53:06 AM Chris PeBenito via refpolicy wrote:
> > On Debian /var/run is a symlink to /run. Are there any distributions not
> > doing this?
>
> I'd prefer to keep it. Is keeping it causing a problem?
The problem is that programs that haven't been updated since 2011 won't ever
be updated unless we look for them.
In Debian screen has just been fixed due to the bug report I filed.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
On 03/06/17 02:16, Russell Coker wrote:
> On Mon, 6 Mar 2017 12:53:06 AM Chris PeBenito via refpolicy wrote:
>>> On Debian /var/run is a symlink to /run. Are there any distributions not
>>> doing this?
>>
>> I'd prefer to keep it. Is keeping it causing a problem?
>
> The problem is that programs that haven't been updated since 2011 won't ever
> be updated unless we look for them.
>
> In Debian screen has just been fixed due to the bug report I filed.
There's nothing preventing distros from removing it for that purpose.
For upstream, I'd like to keep as much compatibility as (reasonably)
possible.
--
Chris PeBenito