From: dac.override@gmail.com (Dominick Grift) Date: Sun, 5 Mar 2017 08:01:04 +0100 Subject: [refpolicy] [PATCH] systemd-nspawn In-Reply-To: <201703051606.29399.russell@coker.com.au> References: <20170228110557.ck7x4ligazrhdnrx@athena.coker.com.au> <20170304122634.GA3913@t450.enp8s0.d30> <201703051541.06781.russell@coker.com.au> <201703051606.29399.russell@coker.com.au> Message-ID: <20170305070104.GA14030@t450.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, Mar 05, 2017 at 04:06:29PM +1100, Russell Coker wrote: > On Sun, 5 Mar 2017 03:41:06 PM Russell Coker wrote: > > Applications should use the canonical name which has been /run for some > > years now. We can have the subst entry in the upstream policy for a > > while to cater for this, but in the long term it should be removed. If > > there are any apps that do such lookups with /var/run then I think the > > correct thing to do is to have duplicate file_contexts entries for those > > few files rather than having a subst entry for the entire system. This > > means we know which things need to be fixed. > > I've just filed Debian bug reports against mon, iodine, screen, and openssh for > having tmpfiles.d entries that used /var/run. I'll file more for any other > daemons that do it. > > I think we should all file bugs against packages that use /var/run. > > https://lists.fedoraproject.org/pipermail/devel/2011-March/150031.html > > Above is the explanation of /run that describes changes made in Fedora 6 years > ago! 6 years is more than enough time to complete the migration. If it's not > done yet it's a bug. > > grep var/run /usr/lib/tmpfiles.d/* > > The above command may show some bug reports you need to file. ;) also do: grep var/run/ /usr/lib/systemd/system/*.socket socket activated sockets specified with /var/run will also be created with the wrong context > > -- > My Main Blog http://etbe.coker.com.au/ > My Documents Blog http://doc.coker.com.au/ -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170305/934ab265/attachment.bin