From: pebenito@ieee.org (Chris PeBenito) Date: Sat, 4 Mar 2017 07:16:41 -0500 Subject: [refpolicy] [PATCH] systemd-nspawn In-Reply-To: <201703010112.08588.russell@coker.com.au> References: <20170228110557.ck7x4ligazrhdnrx@athena.coker.com.au> <201703010112.08588.russell@coker.com.au> Message-ID: <0ae32e3a-4447-62fc-736a-19e5db03ff44@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/28/17 09:12, Russell Coker via refpolicy wrote: > On Tue, 28 Feb 2017 10:05:57 PM Russell Coker via refpolicy wrote: >> Index: refpolicy-2.20170227/policy/modules/system/logging.fc >> > =================================================================== >> --- refpolicy-2.20170227.orig/policy/modules/system/logging.fc >> +++ refpolicy-2.20170227/policy/modules/system/logging.fc >> @@ -64,7 +64,6 @@ ifdef(`distro_redhat',` >> /run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run >> _t,s0) >> /run/log -s gen_context(system_u:object_r:devlog_t,s0) >> /run/log -d gen_context(system_u:object_r:var_log_t,s0- >> mls_systemhigh) >> -/run/log/journal(/.*)? gen_context(system_u:object_r:var_log_t,mls_system >> high) >> /run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_r >> un_t,s0) >> /run/rsyslogd\.pid -- gen_context(system_u:object_r:syslogd_var_r >> un_t,mls_systemhigh) >> /run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_r >> un_t,mls_systemhigh) > > This doesn't really belong in the nspawn patch. The reason it's in is nspawn > was left after I split everything else into different patches. > > It's not a mistake, that labelling of /run/log/journal breaks systemd-journald > and needs to be removed. When it's removed the entry for /var/run/log/journal > takes over and gives the desired result. I don't know why /run/log/journal > gets priority on my system. > > We need to fix this /run vs /var/run thing. We need one canonical name and we > need to change everything to it. Chris, you want me to write a patch to > change everything to /run? Yes, I'd take that patch as a standalone. Should I still look at this one? -- Chris PeBenito