From: cgzones@googlemail.com (cgzones) Date: Tue, 6 Dec 2016 11:37:51 +0100 Subject: [refpolicy] Transition from /var/run to /run Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi list, i'd like to discuss to transition the file contexts from /var/run to /run and with it /var/run/lock to /run/lock. The FHS 3.0 suggests using /run over /var/run. http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s15.html http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s13.html >From my point of view, most of the reference policy using distros are using /run. I did not find any documentation for Gentoo, but for me, it seems Gentoo is using /run too. Arch: https://wiki.archlinux.org/index.php/Tmpfs Debian: https://wiki.debian.org/ReleaseGoals/RunDirectory Fedora: https://docs.fedoraproject.org/en-US/Fedora/15/html/Release_Notes/sect-Release_Notes-Changes_for_SysAdmin.html https://lwn.net/Articles/436012/ This transition can be either done by hand or i am testing currently a scripted transition by running find refpolicy/ -name *.fc -exec sed -i 's|'^/var/run/'|'/run/'|' {} \; find refpolicy/ -name *.fc -exec sed -i 's|'^/var/lock/'|'/run/lock/'|' {} \; and then patching diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist index e233ea70..6f5ef492 100644 --- a/config/file_contexts.subs_dist +++ b/config/file_contexts.subs_dist @@ -12,11 +12,11 @@ /lib/systemd /usr/lib/systemd /lib32 /lib /lib64 /lib -/run /var/run -/run/lock /var/lock +#/run /var/run +#/run/lock /var/lock /usr/lib32 /usr/lib /usr/lib64 /usr/lib /usr/local/lib32 /usr/lib /usr/local/lib64 /usr/lib /usr/local/lib /usr/lib -/var/run/lock /var/lock +#/var/run/lock /var/lock diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index fc765e7b..d6874cd4 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -245,7 +245,8 @@ ifndef(`distro_redhat',` /var/lib/nfs/rpc_pipefs(/.*)? <> -/var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0) +/var/lock -d gen_context(system_u:object_r:var_lock_t,s0-mls_systemhigh) +/var/lock -l gen_context(system_u:object_r:var_lock_t,s0) /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/log/lost\+found/.* <> @@ -258,8 +259,6 @@ ifndef(`distro_redhat',` /var/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh) /var/run -l gen_context(system_u:object_r:var_run_t,s0) -/var/run/.* gen_context(system_u:object_r:var_run_t,s0) -/var/run/.*\.*pid <> /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0) /var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -275,6 +274,6 @@ ifndef(`distro_redhat',` /var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0) ifdef(`distro_debian',` -/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) -/var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0) +/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) +/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') Kindly regards, Christian G?ttsche