From: pebenito@ieee.org (Chris PeBenito)
Date: Sat, 25 Mar 2017 12:46:24 -0400
Subject: [refpolicy] [PATCH] /var/run -> /run again
In-Reply-To: <20170322080952.m5tgzsqfwejeujk4@athena.coker.com.au>
References: <20170322080952.m5tgzsqfwejeujk4@athena.coker.com.au>
Message-ID: <71898ca4-867d-0e9a-0f80-2da34e21c18e@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 03/22/2017 04:09 AM, Russell Coker via refpolicy wrote:
> Here's the latest version of my patch to remove all /var/run when it's not
> needed.  I have removed the subst thing from the patch, but kept a
> distro_debian bit that relies on it.  So with this patch the policy won't
> install if you build it with distro_debian unless you have my subst patch.
> Chris, if your automated tests require that it build and install with
> distro_debian then skip the patch for sysnetwork.fc.
>
> Can this be included?

I've merged this, though a couple hunks weren't necessary they were 
already fixed.



> Index: refpolicy-2.20170313/policy/modules/contrib/iodine.fc
> ===================================================================
> --- refpolicy-2.20170313.orig/policy/modules/contrib/iodine.fc
> +++ refpolicy-2.20170313/policy/modules/contrib/iodine.fc
> @@ -2,4 +2,4 @@
>
>  /usr/sbin/iodined	--	gen_context(system_u:object_r:iodined_exec_t,s0)
>
> -/var/run/iodine(/.*)?		gen_context(system_u:object_r:iodined_var_run_t,s0)
> +/run/iodine(/.*)?		gen_context(system_u:object_r:iodined_var_run_t,s0)
> Index: refpolicy-2.20170313/policy/modules/contrib/mon.fc
> ===================================================================
> --- refpolicy-2.20170313.orig/policy/modules/contrib/mon.fc
> +++ refpolicy-2.20170313/policy/modules/contrib/mon.fc
> @@ -5,7 +5,7 @@
>
>  /usr/sbin/mon		--	gen_context(system_u:object_r:mon_exec_t,s0)
>
> -/var/run/mon(/.*)?		gen_context(system_u:object_r:mon_var_run_t,s0)
> +/run/mon(/.*)?			gen_context(system_u:object_r:mon_var_run_t,s0)
>
>  /var/lib/mon(/.*)?		gen_context(system_u:object_r:mon_var_lib_t,s0)
>  /var/log/mon(/.*)?		gen_context(system_u:object_r:mon_var_log_t,s0)
> Index: refpolicy-2.20170313/policy/modules/contrib/qemu.fc
> ===================================================================
> --- refpolicy-2.20170313.orig/policy/modules/contrib/qemu.fc
> +++ refpolicy-2.20170313/policy/modules/contrib/qemu.fc
> @@ -7,4 +7,4 @@
>
>  /usr/libexec/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
>
> -/var/run/xen/qmp.*	--	gen_context(system_u:object_r:qemu_var_run_t,s0)
> +/run/xen/qmp.*		--	gen_context(system_u:object_r:qemu_var_run_t,s0)
> Index: refpolicy-2.20170313/policy/modules/kernel/files.fc
> ===================================================================
> --- refpolicy-2.20170313.orig/policy/modules/kernel/files.fc
> +++ refpolicy-2.20170313/policy/modules/kernel/files.fc
> @@ -155,6 +155,7 @@ HOME_ROOT/lost\+found/.*	<<none>>
>  #
>  /run			-d	gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
>  /run			-l	gen_context(system_u:object_r:var_run_t,s0)
> +/run/shm		-l	gen_context(system_u:object_r:var_run_t,s0)
>  /run/.*				<<none>>
>
>  #
> @@ -212,8 +213,7 @@ HOME_ROOT/lost\+found/.*	<<none>>
>  /usr/tmp/.*			<<none>>
>
>  ifdef(`distro_debian',`
> -# on Debian /lib/init/rw is a tmpfs used like /var/run but
> -# before /var is mounted
> +# on Debian /lib/init/rw is a tmpfs used like /run
>  /usr/lib/init/rw(/.*)?		gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
>  ')
>
> @@ -253,7 +253,6 @@ ifndef(`distro_redhat',`
>  /var/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
>  /var/lost\+found/.*		<<none>>
>
> -/var/run		-d	gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
>  /var/run		-l	gen_context(system_u:object_r:var_run_t,s0)
>
>  /var/spool(/.*)?		gen_context(system_u:object_r:var_spool_t,s0)
> Index: refpolicy-2.20170313/policy/modules/system/logging.fc
> ===================================================================
> --- refpolicy-2.20170313.orig/policy/modules/system/logging.fc
> +++ refpolicy-2.20170313/policy/modules/system/logging.fc
> @@ -55,7 +55,7 @@ ifdef(`distro_redhat',`
>  /var/named/chroot/dev/log -s	gen_context(system_u:object_r:devlog_t,s0)
>  ')
>
> -/var/run/systemd/journal/stdout -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
> +/run/systemd/journal/stdout -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
>
>  /run/audit_events	-s	gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
>  /run/audispd_events	-s	gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh)
> Index: refpolicy-2.20170313/policy/modules/system/sysnetwork.fc
> ===================================================================
> --- refpolicy-2.20170313.orig/policy/modules/system/sysnetwork.fc
> +++ refpolicy-2.20170313/policy/modules/system/sysnetwork.fc
> @@ -71,6 +71,6 @@ ifdef(`distro_gentoo',`
>
>  ifdef(`distro_debian',`
>  /run/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
> -/var/run/resolvconf/.* --	gen_context(system_u:object_r:net_conf_t,s0)
> +/run/resolvconf/.* --	gen_context(system_u:object_r:net_conf_t,s0)
>  ')
>
> Index: refpolicy-2.20170313/policy/modules/system/systemd.fc
> ===================================================================
> --- refpolicy-2.20170313.orig/policy/modules/system/systemd.fc
> +++ refpolicy-2.20170313/policy/modules/system/systemd.fc
> @@ -52,4 +52,4 @@
>  /run/tmpfiles\.d/.*		<<none>>
>
>  /var/log/journal(/.*)?		gen_context(system_u:object_r:systemd_journal_t,s0)
> -/var/run/log/journal(/.*)?	gen_context(system_u:object_r:systemd_journal_t,s0)
> +/run/log/journal(/.*)?	gen_context(system_u:object_r:systemd_journal_t,s0)
> Index: refpolicy-2.20170313/policy/modules/contrib/dbus.fc
> ===================================================================
> --- refpolicy-2.20170313.orig/policy/modules/contrib/dbus.fc
> +++ refpolicy-2.20170313/policy/modules/contrib/dbus.fc
> @@ -14,6 +14,9 @@ HOME_DIR/\.dbus(/.*)?	gen_context(system
>  /var/lib/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
>
>  /run/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
> +ifdef(`distro_debian',`
> +/var/run/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
> +')
>  /run/messagebus\.pid	--	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
>
>  /var/named/chroot/var/run/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
> Index: refpolicy-2.20170313/policy/modules/system/init.fc
> ===================================================================
> --- refpolicy-2.20170313.orig/policy/modules/system/init.fc
> +++ refpolicy-2.20170313/policy/modules/system/init.fc
> @@ -53,6 +53,7 @@ ifdef(`distro_gentoo', `
>  /var/lib/systemd(/.*)?		gen_context(system_u:object_r:init_var_lib_t,s0)
>
>  /run/initctl	-p	gen_context(system_u:object_r:initctl_t,s0)
> +/run/kerneloops\.pid	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
>  /run/utmp		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
>  /run/runlevel\.dir		gen_context(system_u:object_r:initrc_var_run_t,s0)
>  /run/random-seed	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


-- 
Chris PeBenito