From: dwalsh@redhat.com (Daniel J Walsh) Date: Thu, 24 Jul 2014 08:51:55 -0400 Subject: [refpolicy] [PATCH] label for /run/tmpfiles.d In-Reply-To: References: <1406148340-10759-1-git-send-email-jason@perfinion.com> <20140724114729.41703a93@soldur.bigon.be> Message-ID: <53D1016B.5090302@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 07/24/2014 06:36 AM, Jason Zaman wrote: > > > On 24 Jul 2014 13:47, "Laurent Bigonville" > wrote: > > > > Le Thu, 24 Jul 2014 00:45:40 +0400, > > Jason Zaman > a ?crit : > > > > > kmod puts a file in /run/tmpfiles.d which then gets used by tmpfiles. > > > This patch was mostly taken from the fedora policy. > > > > /run/tmpfiles.d is owned by systemd-tmpfiles so it should probably be > > labeled as part of this (still inexistant in refpolicy) module if we > > wants a dedicated context for this directory. > > Having a tmpfiles module for this is doable (where would it go in the > tree? I'm assuming not contrib/?) > > I need this for OpenRC too since it also uses tmpfiles so it is not > necessarily "systemd". The labels should definitely be in sync for > both tho. > > Should it be tmpfiles_var_run_t and tmpfiles_etc_t? > > Alternatively I could keep it in the Gentoo policy till the systemd > stuff is done but I would rather get the labels in sync first. > > -- Jason > > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy Currently Fedora has /var/run/tmpfiles.d/kmod.conf -- system_u:object_r:insmod_var_run_t:s0 If we add a label for /var/run/tmpfiles.d/ it needs a named file trans rule for any process that creates content under it. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20140724/4ad12b74/attachment.html