From: dominick.grift@gmail.com (grift)
Date: Sun, 16 Dec 2012 17:41:04 +0100
Subject: [refpolicy] [PATCH 3/7] Label /var/run/shm as tmpfs_t
In-Reply-To: <20121215232906.4a5f2f4d@soldur.bigon.be>
References: <1354739968-4547-1-git-send-email-bigon@debian.org>
	<1354739968-4547-3-git-send-email-bigon@debian.org>
	<50C17ADF.2010302@tresys.com> <20121215232906.4a5f2f4d@soldur.bigon.be>
Message-ID: <1355676064.1822.1.camel@localhost>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sat, 2012-12-15 at 23:29 +0100, Laurent Bigonville wrote:
> Le Fri, 07 Dec 2012 00:13:03 -0500,
> "Christopher J. PeBenito" <cpebenito@tresys.com> a ?crit :
> 
> > On 12/5/2012 3:39 PM, Laurent Bigonville wrote:
> > > From: Laurent Bigonville <bigon@bigon.be>
> > >
> > > In Debian, /dev/shm is a symlink to /var/run/shm. Label that
> > > mountpoint the same way.
> > > ---
> > >   policy/modules/kernel/filesystem.fc |    3 +++
> > >   1 file changed, 3 insertions(+)
> > >
> > > diff --git a/policy/modules/kernel/filesystem.fc
> > > b/policy/modules/kernel/filesystem.fc index cda5588..4da589c 100644
> > > --- a/policy/modules/kernel/filesystem.fc
> > > +++ b/policy/modules/kernel/filesystem.fc
> > > @@ -14,3 +14,6 @@
> > >   # for systemd systems:
> > >   /sys/fs/cgroup		-d
> > > gen_context(system_u:object_r:cgroup_t,s0) /sys/fs/cgroup/.*
> > > <<none>> +
> > > +/var/run/shm		-d
> > > gen_context(system_u:object_r:tmpfs_t,s0)
> > > +/var/run/shm/.*			<<none>>
> > 
> > Wouldn't it make more sense to just have a file context substitution
> > in the Debian policy?
> 
> For some reason it's not working. Maybe because /var/run is already a
> tmpfs? If you want I can give a patch that define this only for debian.
> 

I think it may be related to the fact that this tmpfs here is mounted
with the rootcontext= option in debian

> Laurent Bigonville
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy