From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 6 Dec 2016 20:05:25 -0500 Subject: [refpolicy] Transition from /var/run to /run In-Reply-To: References: Message-ID: <645cd8e3-f02f-da02-bc4a-0e5f00202ade@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/06/16 05:37, cgzones via refpolicy wrote: > Hi list, > i'd like to discuss to transition the file contexts from /var/run to > /run and with it /var/run/lock to /run/lock. > > The FHS 3.0 suggests using /run over /var/run. > http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s15.html > http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s13.html > > From my point of view, most of the reference policy using distros are > using /run. > I did not find any documentation for Gentoo, but for me, it seems > Gentoo is using /run too. I'm not in a rush to replace it, since the path substitutions handle it easily. When we do change it, all references in the policy would need to change. > Arch: > https://wiki.archlinux.org/index.php/Tmpfs > > Debian: > https://wiki.debian.org/ReleaseGoals/RunDirectory > > Fedora: > https://docs.fedoraproject.org/en-US/Fedora/15/html/Release_Notes/sect-Release_Notes-Changes_for_SysAdmin.html > https://lwn.net/Articles/436012/ > > > This transition can be either done by hand or i am testing currently a > scripted transition by running > find refpolicy/ -name *.fc -exec sed -i 's|'^/var/run/'|'/run/'|' {} \; > find refpolicy/ -name *.fc -exec sed -i 's|'^/var/lock/'|'/run/lock/'|' {} \; > > and then patching > > diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist > index e233ea70..6f5ef492 100644 > --- a/config/file_contexts.subs_dist > +++ b/config/file_contexts.subs_dist > @@ -12,11 +12,11 @@ > /lib/systemd /usr/lib/systemd > /lib32 /lib > /lib64 /lib > -/run /var/run > -/run/lock /var/lock > +#/run /var/run > +#/run/lock /var/lock > /usr/lib32 /usr/lib > /usr/lib64 /usr/lib > /usr/local/lib32 /usr/lib > /usr/local/lib64 /usr/lib > /usr/local/lib /usr/lib > -/var/run/lock /var/lock > +#/var/run/lock /var/lock > > diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc > index fc765e7b..d6874cd4 100644 > --- a/policy/modules/kernel/files.fc > +++ b/policy/modules/kernel/files.fc > @@ -245,7 +245,8 @@ ifndef(`distro_redhat',` > /var/lib/nfs/rpc_pipefs(/.*)? <> > -/var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0) > +/var/lock -d gen_context(system_u:object_r:var_lock_t,s0-mls_systemhigh) > +/var/lock -l gen_context(system_u:object_r:var_lock_t,s0) > /var/log/lost\+found -d > gen_context(system_u:object_r:lost_found_t,mls_systemhigh) > /var/log/lost\+found/.* <> > @@ -258,8 +259,6 @@ ifndef(`distro_redhat',` > /var/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh) > /var/run -l gen_context(system_u:object_r:var_run_t,s0) > -/var/run/.* gen_context(system_u:object_r:var_run_t,s0) > -/var/run/.*\.*pid <> > /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0) > /var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) > @@ -275,6 +274,6 @@ ifndef(`distro_redhat',` > /var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0) > ifdef(`distro_debian',` > -/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) > -/var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0) > +/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) > +/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0) > ') > > Kindly regards, > Christian G?ttsche -- Chris PeBenito