From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 25 Jul 2014 08:22:03 -0400 Subject: [refpolicy] [PATCH] label for /run/tmpfiles.d In-Reply-To: <53D1016B.5090302@redhat.com> References: <1406148340-10759-1-git-send-email-jason@perfinion.com> <20140724114729.41703a93@soldur.bigon.be> <53D1016B.5090302@redhat.com> Message-ID: <53D24BEB.9000708@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 7/24/2014 8:51 AM, Daniel J Walsh wrote: > > On 07/24/2014 06:36 AM, Jason Zaman wrote: >> >> >> On 24 Jul 2014 13:47, "Laurent Bigonville" > > wrote: >> > >> > Le Thu, 24 Jul 2014 00:45:40 +0400, >> > Jason Zaman > a ?crit : >> > >> > > kmod puts a file in /run/tmpfiles.d which then gets used by tmpfiles. >> > > This patch was mostly taken from the fedora policy. >> > >> > /run/tmpfiles.d is owned by systemd-tmpfiles so it should probably be >> > labeled as part of this (still inexistant in refpolicy) module if we >> > wants a dedicated context for this directory. >> >> Having a tmpfiles module for this is doable (where would it go in the >> tree? I'm assuming not contrib/?) >> >> I need this for OpenRC too since it also uses tmpfiles so it is not >> necessarily "systemd". The labels should definitely be in sync for >> both tho. >> >> Should it be tmpfiles_var_run_t and tmpfiles_etc_t? >> >> Alternatively I could keep it in the Gentoo policy till the systemd >> stuff is done but I would rather get the labels in sync first. >> > Currently Fedora has > /var/run/tmpfiles.d/kmod.conf -- system_u:object_r:insmod_var_run_t:s0 > > If we add a label for /var/run/tmpfiles.d/ it needs a named file trans > rule for any process that creates content under it. The transitions require names? Do individual domains create files in there that necessitate different types? -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com