From: jason@perfinion.com (Jason Zaman)
Date: Fri, 25 Jul 2014 16:49:05 +0400
Subject: [refpolicy] [PATCH] label for /run/tmpfiles.d
In-Reply-To: <53D24BEB.9000708@tresys.com>
References: <1406148340-10759-1-git-send-email-jason@perfinion.com>
	<20140724114729.41703a93@soldur.bigon.be>
	<CAPuKSJajx-y+qHL3Zeam+8TbF5jBhFM5dkYT6AMty+Ux6W_zzQ@mail.gmail.com>
	<53D1016B.5090302@redhat.com> <53D24BEB.9000708@tresys.com>
Message-ID: <20140725124905.GB20016@pippin.perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, Jul 25, 2014 at 08:22:03AM -0400, Christopher J. PeBenito wrote:
> On 7/24/2014 8:51 AM, Daniel J Walsh wrote:
> > 
> > On 07/24/2014 06:36 AM, Jason Zaman wrote:
> >>
> >>
> >> On 24 Jul 2014 13:47, "Laurent Bigonville" <bigon@debian.org
> >> <mailto:bigon@debian.org>> wrote:
> >> >
> >> > Le Thu, 24 Jul 2014 00:45:40 +0400,
> >> > Jason Zaman <jason at perfinion.com <mailto:jason@perfinion.com>> a ?crit :
> >> >
> >> > > kmod puts a file in /run/tmpfiles.d which then gets used by tmpfiles.
> >> > > This patch was mostly taken from the fedora policy.
> >> >
> >> > /run/tmpfiles.d is owned by systemd-tmpfiles so it should probably be
> >> > labeled as part of this (still inexistant in refpolicy) module if we
> >> > wants a dedicated context for this directory.
> >>
> >> Having a tmpfiles module for this is doable (where would it go in the
> >> tree? I'm assuming not contrib/?)
> >>
> >> I need this for OpenRC too since it also uses tmpfiles so it is not
> >> necessarily "systemd". The labels should definitely be in sync for
> >> both tho.
> >>
> >> Should it be tmpfiles_var_run_t and tmpfiles_etc_t?
> >>
> >> Alternatively I could keep it in the Gentoo policy till the systemd
> >> stuff is done but I would rather get the labels in sync first.
> >>
> > Currently Fedora has
> > /var/run/tmpfiles.d/kmod.conf    --    system_u:object_r:insmod_var_run_t:s0
> > 
> > If we add a label for  /var/run/tmpfiles.d/ it needs a named file trans
> > rule for any process that creates content under it.
> 
> The transitions require names?  Do individual domains create files in
> there that necessitate different types?

kmod just needs to be able to create the file, it doesnt use it after
creating. systemd-tmpfiles is the one that reads the file later. I think
having everything labelled tmpfiles_var_run_t and letting insmod_t
create a file in the dir is fine too.

-- Jason