From: nicolas.iooss@m4x.org (Nicolas Iooss) Date: Sat, 23 Aug 2014 13:35:51 +0200 Subject: [refpolicy] [PATCH 7/7] Label (/var)?/tmp/systemd-private-.../tmp like /tmp In-Reply-To: <1408793751-11289-1-git-send-email-nicolas.iooss@m4x.org> References: <1408793751-11289-1-git-send-email-nicolas.iooss@m4x.org> Message-ID: <1408793751-11289-8-git-send-email-nicolas.iooss@m4x.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Such directories are used by systemd as private mountpoints for services. --- policy/modules/kernel/files.fc | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index b876c48adb12..fc765e7b38a7 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -191,6 +191,10 @@ ifdef(`distro_debian',` /tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /tmp/lost\+found/.* <> +/tmp/systemd-private-[^/]+ -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) +/tmp/systemd-private-[^/]+/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) +/tmp/systemd-private-[^/]+/tmp/.* <> + # # /usr # @@ -265,6 +269,9 @@ ifndef(`distro_redhat',` /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> +/var/tmp/systemd-private-[^/]+ -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) +/var/tmp/systemd-private-[^/]+/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) +/var/tmp/systemd-private-[^/]+/tmp/.* <> /var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0) ifdef(`distro_debian',` -- 2.0.4