Hi list,
i'd like to discuss to transition the file contexts from /var/run to
/run and with it /var/run/lock to /run/lock.
The FHS 3.0 suggests using /run over /var/run.
http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s15.html
http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s13.html
>From my point of view, most of the reference policy using distros are
using /run.
I did not find any documentation for Gentoo, but for me, it seems
Gentoo is using /run too.
Arch:
https://wiki.archlinux.org/index.php/Tmpfs
Debian:
https://wiki.debian.org/ReleaseGoals/RunDirectory
Fedora:
https://docs.fedoraproject.org/en-US/Fedora/15/html/Release_Notes/sect-Release_Notes-Changes_for_SysAdmin.html
https://lwn.net/Articles/436012/
This transition can be either done by hand or i am testing currently a
scripted transition by running
find refpolicy/ -name *.fc -exec sed -i 's|'^/var/run/'|'/run/'|' {} \;
find refpolicy/ -name *.fc -exec sed -i 's|'^/var/lock/'|'/run/lock/'|' {} \;
and then patching
diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
index e233ea70..6f5ef492 100644
--- a/config/file_contexts.subs_dist
+++ b/config/file_contexts.subs_dist
@@ -12,11 +12,11 @@
/lib/systemd /usr/lib/systemd
/lib32 /lib
/lib64 /lib
-/run /var/run
-/run/lock /var/lock
+#/run /var/run
+#/run/lock /var/lock
/usr/lib32 /usr/lib
/usr/lib64 /usr/lib
/usr/local/lib32 /usr/lib
/usr/local/lib64 /usr/lib
/usr/local/lib /usr/lib
-/var/run/lock /var/lock
+#/var/run/lock /var/lock
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index fc765e7b..d6874cd4 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -245,7 +245,8 @@ ifndef(`distro_redhat',`
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
-/var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
+/var/lock -d gen_context(system_u:object_r:var_lock_t,s0-mls_systemhigh)
+/var/lock -l gen_context(system_u:object_r:var_lock_t,s0)
/var/log/lost\+found -d
gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/log/lost\+found/.* <<none>>
@@ -258,8 +259,6 @@ ifndef(`distro_redhat',`
/var/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
/var/run -l gen_context(system_u:object_r:var_run_t,s0)
-/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
-/var/run/.*\.*pid <<none>>
/var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
/var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -275,6 +274,6 @@ ifndef(`distro_redhat',`
/var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0)
ifdef(`distro_debian',`
-/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
-/var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
Kindly regards,
Christian G?ttsche
On 12/06/2016 11:37 AM, cgzones via refpolicy wrote:
> Hi list,
> i'd like to discuss to transition the file contexts from /var/run to
> /run and with it /var/run/lock to /run/lock.
>
> The FHS 3.0 suggests using /run over /var/run.
> http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s15.html
> http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s13.html
>
> From my point of view, most of the reference policy using distros are
> using /run.
> I did not find any documentation for Gentoo, but for me, it seems
> Gentoo is using /run too.
>
I also did this in "dssp1" (but not the original "dssp"). However using
/run will break various systemd-tmpfiles config snippets from
/usr/lib/tmpfiles.d.
This is because some of these snippets refer to /var/run instead of /run
and this causes the objects applicable to end up mislabeled because
tmpfiles uses setfscreatecon().
The solution would be to fix these tmpfiles config drop-ins.
> Arch:
> https://wiki.archlinux.org/index.php/Tmpfs
>
> Debian:
> https://wiki.debian.org/ReleaseGoals/RunDirectory
>
> Fedora:
> https://docs.fedoraproject.org/en-US/Fedora/15/html/Release_Notes/sect-Release_Notes-Changes_for_SysAdmin.html
> https://lwn.net/Articles/436012/
>
>
> This transition can be either done by hand or i am testing currently a
> scripted transition by running
> find refpolicy/ -name *.fc -exec sed -i 's|'^/var/run/'|'/run/'|' {} \;
> find refpolicy/ -name *.fc -exec sed -i 's|'^/var/lock/'|'/run/lock/'|' {} \;
>
> and then patching
>
> diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
> index e233ea70..6f5ef492 100644
> --- a/config/file_contexts.subs_dist
> +++ b/config/file_contexts.subs_dist
> @@ -12,11 +12,11 @@
> /lib/systemd /usr/lib/systemd
> /lib32 /lib
> /lib64 /lib
> -/run /var/run
> -/run/lock /var/lock
> +#/run /var/run
> +#/run/lock /var/lock
> /usr/lib32 /usr/lib
> /usr/lib64 /usr/lib
> /usr/local/lib32 /usr/lib
> /usr/local/lib64 /usr/lib
> /usr/local/lib /usr/lib
> -/var/run/lock /var/lock
> +#/var/run/lock /var/lock
>
> diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
> index fc765e7b..d6874cd4 100644
> --- a/policy/modules/kernel/files.fc
> +++ b/policy/modules/kernel/files.fc
> @@ -245,7 +245,8 @@ ifndef(`distro_redhat',`
> /var/lib/nfs/rpc_pipefs(/.*)? <<none>>
> -/var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
> +/var/lock -d gen_context(system_u:object_r:var_lock_t,s0-mls_systemhigh)
> +/var/lock -l gen_context(system_u:object_r:var_lock_t,s0)
> /var/log/lost\+found -d
> gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
> /var/log/lost\+found/.* <<none>>
> @@ -258,8 +259,6 @@ ifndef(`distro_redhat',`
> /var/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
> /var/run -l gen_context(system_u:object_r:var_run_t,s0)
> -/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
> -/var/run/.*\.*pid <<none>>
> /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
> /var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
> @@ -275,6 +274,6 @@ ifndef(`distro_redhat',`
> /var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0)
> ifdef(`distro_debian',`
> -/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> -/var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> +/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> +/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> ')
>
> Kindly regards,
> Christian G?ttsche
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161206/c4f0af68/attachment.bin
On 12/06/16 05:37, cgzones via refpolicy wrote:
> Hi list,
> i'd like to discuss to transition the file contexts from /var/run to
> /run and with it /var/run/lock to /run/lock.
>
> The FHS 3.0 suggests using /run over /var/run.
> http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s15.html
> http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s13.html
>
> From my point of view, most of the reference policy using distros are
> using /run.
> I did not find any documentation for Gentoo, but for me, it seems
> Gentoo is using /run too.
I'm not in a rush to replace it, since the path substitutions handle it
easily. When we do change it, all references in the policy would need
to change.
> Arch:
> https://wiki.archlinux.org/index.php/Tmpfs
>
> Debian:
> https://wiki.debian.org/ReleaseGoals/RunDirectory
>
> Fedora:
> https://docs.fedoraproject.org/en-US/Fedora/15/html/Release_Notes/sect-Release_Notes-Changes_for_SysAdmin.html
> https://lwn.net/Articles/436012/
>
>
> This transition can be either done by hand or i am testing currently a
> scripted transition by running
> find refpolicy/ -name *.fc -exec sed -i 's|'^/var/run/'|'/run/'|' {} \;
> find refpolicy/ -name *.fc -exec sed -i 's|'^/var/lock/'|'/run/lock/'|' {} \;
>
> and then patching
>
> diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
> index e233ea70..6f5ef492 100644
> --- a/config/file_contexts.subs_dist
> +++ b/config/file_contexts.subs_dist
> @@ -12,11 +12,11 @@
> /lib/systemd /usr/lib/systemd
> /lib32 /lib
> /lib64 /lib
> -/run /var/run
> -/run/lock /var/lock
> +#/run /var/run
> +#/run/lock /var/lock
> /usr/lib32 /usr/lib
> /usr/lib64 /usr/lib
> /usr/local/lib32 /usr/lib
> /usr/local/lib64 /usr/lib
> /usr/local/lib /usr/lib
> -/var/run/lock /var/lock
> +#/var/run/lock /var/lock
>
> diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
> index fc765e7b..d6874cd4 100644
> --- a/policy/modules/kernel/files.fc
> +++ b/policy/modules/kernel/files.fc
> @@ -245,7 +245,8 @@ ifndef(`distro_redhat',`
> /var/lib/nfs/rpc_pipefs(/.*)? <<none>>
> -/var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
> +/var/lock -d gen_context(system_u:object_r:var_lock_t,s0-mls_systemhigh)
> +/var/lock -l gen_context(system_u:object_r:var_lock_t,s0)
> /var/log/lost\+found -d
> gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
> /var/log/lost\+found/.* <<none>>
> @@ -258,8 +259,6 @@ ifndef(`distro_redhat',`
> /var/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
> /var/run -l gen_context(system_u:object_r:var_run_t,s0)
> -/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
> -/var/run/.*\.*pid <<none>>
> /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
> /var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
> @@ -275,6 +274,6 @@ ifndef(`distro_redhat',`
> /var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0)
> ifdef(`distro_debian',`
> -/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> -/var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> +/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> +/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> ')
>
> Kindly regards,
> Christian G?ttsche
--
Chris PeBenito