From: jason@perfinion.com (Jason Zaman)
Date: Thu, 24 Jul 2014 00:45:40 +0400
Subject: [refpolicy] [PATCH] label for /run/tmpfiles.d
Message-ID: <1406148340-10759-1-git-send-email-jason@perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

kmod puts a file in /run/tmpfiles.d which then gets used by tmpfiles.
This patch was mostly taken from the fedora policy.
---
 policy/modules/system/modutils.fc | 2 ++
 policy/modules/system/modutils.te | 7 +++++++
 2 files changed, 9 insertions(+)

diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
index 9933677..744a49a 100644
--- a/policy/modules/system/modutils.fc
+++ b/policy/modules/system/modutils.fc
@@ -23,3 +23,5 @@ ifdef(`distro_gentoo',`
 /sbin/update-modules	--	gen_context(system_u:object_r:update_modules_exec_t,s0)
 
 /usr/bin/kmod		--	gen_context(system_u:object_r:insmod_exec_t,s0)
+
+/var/run/tmpfiles.d(/.*)?	gen_context(system_u:object_r:insmod_var_run_t,s0)
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 59ecb2b..945b318 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -18,6 +18,9 @@ application_domain(insmod_t, insmod_exec_t)
 mls_file_write_all_levels(insmod_t)
 role system_r types insmod_t;
 
+type insmod_var_run_t;
+files_pid_file(insmod_var_run_t)
+
 # module loading config
 type modules_conf_t;
 files_type(modules_conf_t)
@@ -115,6 +118,10 @@ read_files_pattern(insmod_t, modules_conf_t, modules_conf_t)
 list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t)
 read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
 
+manage_dirs_pattern(insmod_t, insmod_var_run_t, insmod_var_run_t)
+manage_files_pattern(insmod_t, insmod_var_run_t, insmod_var_run_t)
+files_pid_filetrans(insmod_t, insmod_var_run_t, { dir file })
+
 can_exec(insmod_t, insmod_exec_t)
 
 kernel_load_module(insmod_t)
-- 
1.8.5.5