From: jason@perfinion.com (Jason Zaman) Date: Sun, 5 Mar 2017 12:30:53 +0800 Subject: [refpolicy] [PATCH] /var/run -> /run In-Reply-To: References: <20170305040208.uglbioys5g4k6j4m@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 5 Mar 2017 12:02, "Russell Coker via refpolicy" wrote: This patch changes the remaining /var/run instances to /run. There are surprisingly few of them. Index: refpolicy-2.20170303/policy/modules/contrib/iodine.fc =================================================================== --- refpolicy-2.20170303.orig/policy/modules/contrib/iodine.fc +++ refpolicy-2.20170303/policy/modules/contrib/iodine.fc @@ -2,4 +2,4 @@ /usr/sbin/iodined -- gen_context(system_u:object_r: iodined_exec_t,s0) -/var/run/iodine(/.*)? gen_context(system_u:object_r: iodined_var_run_t,s0) +/run/iodine(/.*)? gen_context(system_u:object_r: iodined_var_run_t,s0) Index: refpolicy-2.20170303/policy/modules/contrib/mon.fc =================================================================== --- refpolicy-2.20170303.orig/policy/modules/contrib/mon.fc +++ refpolicy-2.20170303/policy/modules/contrib/mon.fc @@ -5,7 +5,7 @@ /usr/sbin/mon -- gen_context(system_u:object_r:mon_exec_t,s0) -/var/run/mon(/.*)? gen_context(system_u:object_r: mon_var_run_t,s0) +/run/mon(/.*)? gen_context(system_u:object_r: mon_var_run_t,s0) /var/lib/mon(/.*)? gen_context(system_u:object_r: mon_var_lib_t,s0) /var/log/mon(/.*)? gen_context(system_u:object_r: mon_var_log_t,s0) Index: refpolicy-2.20170303/policy/modules/contrib/qemu.fc =================================================================== --- refpolicy-2.20170303.orig/policy/modules/contrib/qemu.fc +++ refpolicy-2.20170303/policy/modules/contrib/qemu.fc @@ -7,4 +7,4 @@ /usr/libexec/qemu.* -- gen_context(system_u:object_r: qemu_exec_t,s0) -/var/run/xen/qmp.* -- gen_context(system_u:object_r: qemu_var_run_t,s0) +/run/xen/qmp.* -- gen_context(system_u:object_r: qemu_var_run_t,s0) Index: refpolicy-2.20170303/policy/modules/kernel/files.fc =================================================================== --- refpolicy-2.20170303.orig/policy/modules/kernel/files.fc +++ refpolicy-2.20170303/policy/modules/kernel/files.fc @@ -212,8 +212,7 @@ HOME_ROOT/lost\+found/.* <> /usr/tmp/.* <> ifdef(`distro_debian',` -# on Debian /lib/init/rw is a tmpfs used like /var/run but -# before /var is mounted +# on Debian /lib/init/rw is a tmpfs used like /run /usr/lib/init/rw(/.*)? gen_context(system_u:object_r: var_run_t,s0-mls_systemhigh) ') @@ -253,7 +252,6 @@ ifndef(`distro_redhat',` /var/lost\+found -d gen_context(system_u:object_r: lost_found_t,mls_systemhigh) /var/lost\+found/.* <> -/var/run -d gen_context(system_u:object_r: var_run_t,s0-mls_systemhigh) I'd keep this. It can't hurt and I don't know if there are any edge cases or if not everyone has it as a symlink. /var/run -l gen_context(system_u:object_r:var_run_t,s0) /var/spool(/.*)? gen_context(system_u:object_r: var_spool_t,s0) Index: refpolicy-2.20170303/policy/modules/system/logging.fc =================================================================== --- refpolicy-2.20170303.orig/policy/modules/system/logging.fc +++ refpolicy-2.20170303/policy/modules/system/logging.fc @@ -55,7 +55,7 @@ ifdef(`distro_redhat',` /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0) ') -/var/run/systemd/journal/stdout -s gen_context(system_u:object_r: devlog_t,mls_systemhigh) +/run/systemd/journal/stdout -s gen_context(system_u:object_r: devlog_t,mls_systemhigh) /run/audit_events -s gen_context(system_u:object_r: auditd_var_run_t,mls_systemhigh) /run/audispd_events -s gen_context(system_u:object_r: audisp_var_run_t,mls_systemhigh) Index: refpolicy-2.20170303/policy/modules/system/sysnetwork.fc =================================================================== --- refpolicy-2.20170303.orig/policy/modules/system/sysnetwork.fc +++ refpolicy-2.20170303/policy/modules/system/sysnetwork.fc @@ -71,6 +71,6 @@ ifdef(`distro_gentoo',` ifdef(`distro_debian',` /run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) -/var/run/resolvconf/.* -- gen_context(system_u:object_r:net_conf_t,s0) +/run/resolvconf/.* -- gen_context(system_u:object_r:net_conf_t,s0) ') Index: refpolicy-2.20170303/policy/modules/system/systemd.fc =================================================================== --- refpolicy-2.20170303.orig/policy/modules/system/systemd.fc +++ refpolicy-2.20170303/policy/modules/system/systemd.fc @@ -50,4 +50,4 @@ /run/tmpfiles\.d/kmod.conf gen_context(system_u:object_r: systemd_kmod_conf_t,s0) /var/log/journal(/.*)? gen_context(system_u:object_r: systemd_journal_t,s0) -/var/run/log/journal(/.*)? gen_context(system_u:object_r: systemd_journal_t,s0) +/run/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0) Index: refpolicy-2.20170303/config/file_contexts.subs_dist =================================================================== --- refpolicy-2.20170303.orig/config/file_contexts.subs_dist +++ refpolicy-2.20170303/config/file_contexts.subs_dist @@ -22,8 +22,3 @@ /usr/local/lib32 /usr/lib /usr/local/lib64 /usr/lib /usr/local/lib /usr/lib - -# backward compatibility -# not for refpolicy intern, but for /var/run using applications, -# like systemd tmpfiles or systemd socket configurations -/var/run /run This has to stay. It's for when other programs do stuff with /var/run. Otherwise the labels would be wrong. _______________________________________________ refpolicy mailing list refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20170305/d0adb3a0/attachment.html