From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 07 Dec 2012 00:13:03 -0500
Subject: [refpolicy] [PATCH 3/7] Label /var/run/shm as tmpfs_t
In-Reply-To: <1354739968-4547-3-git-send-email-bigon@debian.org>
References: <1354739968-4547-1-git-send-email-bigon@debian.org>
	<1354739968-4547-3-git-send-email-bigon@debian.org>
Message-ID: <50C17ADF.2010302@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/5/2012 3:39 PM, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> In Debian, /dev/shm is a symlink to /var/run/shm. Label that mountpoint
> the same way.
> ---
>   policy/modules/kernel/filesystem.fc |    3 +++
>   1 file changed, 3 insertions(+)
>
> diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
> index cda5588..4da589c 100644
> --- a/policy/modules/kernel/filesystem.fc
> +++ b/policy/modules/kernel/filesystem.fc
> @@ -14,3 +14,6 @@
>   # for systemd systems:
>   /sys/fs/cgroup		-d	gen_context(system_u:object_r:cgroup_t,s0)
>   /sys/fs/cgroup/.*		<<none>>
> +
> +/var/run/shm		-d	gen_context(system_u:object_r:tmpfs_t,s0)
> +/var/run/shm/.*			<<none>>

Wouldn't it make more sense to just have a file context substitution in the Debian policy?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com