From: bigon@debian.org (Laurent Bigonville)
Date: Sat, 15 Dec 2012 23:29:06 +0100
Subject: [refpolicy] [PATCH 3/7] Label /var/run/shm as tmpfs_t
In-Reply-To: <50C17ADF.2010302@tresys.com>
References: <1354739968-4547-1-git-send-email-bigon@debian.org>
	<1354739968-4547-3-git-send-email-bigon@debian.org>
	<50C17ADF.2010302@tresys.com>
Message-ID: <20121215232906.4a5f2f4d@soldur.bigon.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Le Fri, 07 Dec 2012 00:13:03 -0500,
"Christopher J. PeBenito" <cpebenito@tresys.com> a ?crit :

> On 12/5/2012 3:39 PM, Laurent Bigonville wrote:
> > From: Laurent Bigonville <bigon@bigon.be>
> >
> > In Debian, /dev/shm is a symlink to /var/run/shm. Label that
> > mountpoint the same way.
> > ---
> >   policy/modules/kernel/filesystem.fc |    3 +++
> >   1 file changed, 3 insertions(+)
> >
> > diff --git a/policy/modules/kernel/filesystem.fc
> > b/policy/modules/kernel/filesystem.fc index cda5588..4da589c 100644
> > --- a/policy/modules/kernel/filesystem.fc
> > +++ b/policy/modules/kernel/filesystem.fc
> > @@ -14,3 +14,6 @@
> >   # for systemd systems:
> >   /sys/fs/cgroup		-d
> > gen_context(system_u:object_r:cgroup_t,s0) /sys/fs/cgroup/.*
> > <<none>> +
> > +/var/run/shm		-d
> > gen_context(system_u:object_r:tmpfs_t,s0)
> > +/var/run/shm/.*			<<none>>
> 
> Wouldn't it make more sense to just have a file context substitution
> in the Debian policy?

For some reason it's not working. Maybe because /var/run is already a
tmpfs? If you want I can give a patch that define this only for debian.

Laurent Bigonville