From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 26 Aug 2014 09:15:17 -0400
Subject: [refpolicy] [PATCH 7/7] Label
 (/var)?/tmp/systemd-private-.../tmp like /tmp
In-Reply-To: <1408793751-11289-8-git-send-email-nicolas.iooss@m4x.org>
References: <1408793751-11289-1-git-send-email-nicolas.iooss@m4x.org>
	<1408793751-11289-8-git-send-email-nicolas.iooss@m4x.org>
Message-ID: <53FC8865.8010008@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 8/23/2014 7:35 AM, Nicolas Iooss wrote:
> Such directories are used by systemd as private mountpoints for
> services.
> ---
>  policy/modules/kernel/files.fc | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
> index b876c48adb12..fc765e7b38a7 100644
> --- a/policy/modules/kernel/files.fc
> +++ b/policy/modules/kernel/files.fc
> @@ -191,6 +191,10 @@ ifdef(`distro_debian',`
>  /tmp/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
>  /tmp/lost\+found/.*		<<none>>
>  
> +/tmp/systemd-private-[^/]+	-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
> +/tmp/systemd-private-[^/]+/tmp	-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
> +/tmp/systemd-private-[^/]+/tmp/.*	<<none>>
> +
>  #
>  # /usr
>  #
> @@ -265,6 +269,9 @@ ifndef(`distro_redhat',`
>  /var/tmp/.*			<<none>>
>  /var/tmp/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
>  /var/tmp/lost\+found/.*		<<none>>
> +/var/tmp/systemd-private-[^/]+	-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
> +/var/tmp/systemd-private-[^/]+/tmp	-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
> +/var/tmp/systemd-private-[^/]+/tmp/.*	<<none>>
>  /var/tmp/vi\.recover	-d	gen_context(system_u:object_r:tmp_t,s0)

Merged.  I think we should consider doing file context path
substitutions from /tmp to /var/tmp.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com