From: russell@coker.com.au (Russell Coker) Date: Wed, 22 Mar 2017 19:09:52 +1100 Subject: [refpolicy] [PATCH] /var/run -> /run again Message-ID: <20170322080952.m5tgzsqfwejeujk4@athena.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Here's the latest version of my patch to remove all /var/run when it's not needed. I have removed the subst thing from the patch, but kept a distro_debian bit that relies on it. So with this patch the policy won't install if you build it with distro_debian unless you have my subst patch. Chris, if your automated tests require that it build and install with distro_debian then skip the patch for sysnetwork.fc. Can this be included? Index: refpolicy-2.20170313/policy/modules/contrib/iodine.fc =================================================================== --- refpolicy-2.20170313.orig/policy/modules/contrib/iodine.fc +++ refpolicy-2.20170313/policy/modules/contrib/iodine.fc @@ -2,4 +2,4 @@ /usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0) -/var/run/iodine(/.*)? gen_context(system_u:object_r:iodined_var_run_t,s0) +/run/iodine(/.*)? gen_context(system_u:object_r:iodined_var_run_t,s0) Index: refpolicy-2.20170313/policy/modules/contrib/mon.fc =================================================================== --- refpolicy-2.20170313.orig/policy/modules/contrib/mon.fc +++ refpolicy-2.20170313/policy/modules/contrib/mon.fc @@ -5,7 +5,7 @@ /usr/sbin/mon -- gen_context(system_u:object_r:mon_exec_t,s0) -/var/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0) +/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0) /var/lib/mon(/.*)? gen_context(system_u:object_r:mon_var_lib_t,s0) /var/log/mon(/.*)? gen_context(system_u:object_r:mon_var_log_t,s0) Index: refpolicy-2.20170313/policy/modules/contrib/qemu.fc =================================================================== --- refpolicy-2.20170313.orig/policy/modules/contrib/qemu.fc +++ refpolicy-2.20170313/policy/modules/contrib/qemu.fc @@ -7,4 +7,4 @@ /usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) -/var/run/xen/qmp.* -- gen_context(system_u:object_r:qemu_var_run_t,s0) +/run/xen/qmp.* -- gen_context(system_u:object_r:qemu_var_run_t,s0) Index: refpolicy-2.20170313/policy/modules/kernel/files.fc =================================================================== --- refpolicy-2.20170313.orig/policy/modules/kernel/files.fc +++ refpolicy-2.20170313/policy/modules/kernel/files.fc @@ -155,6 +155,7 @@ HOME_ROOT/lost\+found/.* <> # /run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh) /run -l gen_context(system_u:object_r:var_run_t,s0) +/run/shm -l gen_context(system_u:object_r:var_run_t,s0) /run/.* <> # @@ -212,8 +213,7 @@ HOME_ROOT/lost\+found/.* <> /usr/tmp/.* <> ifdef(`distro_debian',` -# on Debian /lib/init/rw is a tmpfs used like /var/run but -# before /var is mounted +# on Debian /lib/init/rw is a tmpfs used like /run /usr/lib/init/rw(/.*)? gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh) ') @@ -253,7 +253,6 @@ ifndef(`distro_redhat',` /var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/lost\+found/.* <> -/var/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh) /var/run -l gen_context(system_u:object_r:var_run_t,s0) /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0) Index: refpolicy-2.20170313/policy/modules/system/logging.fc =================================================================== --- refpolicy-2.20170313.orig/policy/modules/system/logging.fc +++ refpolicy-2.20170313/policy/modules/system/logging.fc @@ -55,7 +55,7 @@ ifdef(`distro_redhat',` /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0) ') -/var/run/systemd/journal/stdout -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) +/run/systemd/journal/stdout -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) /run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) /run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh) Index: refpolicy-2.20170313/policy/modules/system/sysnetwork.fc =================================================================== --- refpolicy-2.20170313.orig/policy/modules/system/sysnetwork.fc +++ refpolicy-2.20170313/policy/modules/system/sysnetwork.fc @@ -71,6 +71,6 @@ ifdef(`distro_gentoo',` ifdef(`distro_debian',` /run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) -/var/run/resolvconf/.* -- gen_context(system_u:object_r:net_conf_t,s0) +/run/resolvconf/.* -- gen_context(system_u:object_r:net_conf_t,s0) ') Index: refpolicy-2.20170313/policy/modules/system/systemd.fc =================================================================== --- refpolicy-2.20170313.orig/policy/modules/system/systemd.fc +++ refpolicy-2.20170313/policy/modules/system/systemd.fc @@ -52,4 +52,4 @@ /run/tmpfiles\.d/.* <> /var/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0) -/var/run/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0) +/run/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0) Index: refpolicy-2.20170313/policy/modules/contrib/dbus.fc =================================================================== --- refpolicy-2.20170313.orig/policy/modules/contrib/dbus.fc +++ refpolicy-2.20170313/policy/modules/contrib/dbus.fc @@ -14,6 +14,9 @@ HOME_DIR/\.dbus(/.*)? gen_context(system /var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) /run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +ifdef(`distro_debian',` +/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') /run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0) /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) Index: refpolicy-2.20170313/policy/modules/system/init.fc =================================================================== --- refpolicy-2.20170313.orig/policy/modules/system/init.fc +++ refpolicy-2.20170313/policy/modules/system/init.fc @@ -53,6 +53,7 @@ ifdef(`distro_gentoo', ` /var/lib/systemd(/.*)? gen_context(system_u:object_r:init_var_lib_t,s0) /run/initctl -p gen_context(system_u:object_r:initctl_t,s0) +/run/kerneloops\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0) /run/utmp -- gen_context(system_u:object_r:initrc_var_run_t,s0) /run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0) /run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0)