From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Tue, 30 Oct 2012 22:51:56 +0100 Subject: [refpolicy] [PATCH 4/4] Update files_manage_generic_locks with directory permissions In-Reply-To: <1351633916-29606-1-git-send-email-sven.vermeulen@siphos.be> References: <1351633916-29606-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1351633916-29606-5-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Currently, the files_manage_generic_locks only handles the lock files. If a domain needs to manage both lock files and the lock directories (like specific subdirectories in /var/lock that are not owned by a single other domain, such as Gentoo's /var/lock/subsys location) it also needs the manage permissions on the directory. This is to support OpenRC's migration of /var/lock to /run/lock which otherwise fails: * Migrating /var/lock to /run/lock cp: cannot create directory '/run/lock/subsys': Permission denied rm: cannot remove '/var/lock/subsys': Permission denied Signed-off-by: Sven Vermeulen --- policy/modules/kernel/files.if | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 7c4b4ae..1f0c6f8 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -5818,6 +5818,7 @@ interface(`files_manage_generic_locks',` allow $1 var_t:dir search_dir_perms; allow $1 var_lock_t:lnk_file read_lnk_file_perms; + manage_dirs_pattern($1, var_lock_t, var_lock_t) manage_files_pattern($1, var_lock_t, var_lock_t) ') -- 1.7.8.6