From: russell@coker.com.au (Russell Coker) Date: Wed, 1 Mar 2017 01:12:08 +1100 Subject: [refpolicy] [PATCH] systemd-nspawn In-Reply-To: <20170228110557.ck7x4ligazrhdnrx@athena.coker.com.au> References: <20170228110557.ck7x4ligazrhdnrx@athena.coker.com.au> Message-ID: <201703010112.08588.russell@coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 28 Feb 2017 10:05:57 PM Russell Coker via refpolicy wrote: > Index: refpolicy-2.20170227/policy/modules/system/logging.fc > =================================================================== > --- refpolicy-2.20170227.orig/policy/modules/system/logging.fc > +++ refpolicy-2.20170227/policy/modules/system/logging.fc > @@ -64,7 +64,6 @@ ifdef(`distro_redhat',` > /run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run > _t,s0) > /run/log -s gen_context(system_u:object_r:devlog_t,s0) > /run/log -d gen_context(system_u:object_r:var_log_t,s0- > mls_systemhigh) > -/run/log/journal(/.*)? gen_context(system_u:object_r:var_log_t,mls_system > high) > /run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_r > un_t,s0) > /run/rsyslogd\.pid -- gen_context(system_u:object_r:syslogd_var_r > un_t,mls_systemhigh) > /run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_r > un_t,mls_systemhigh) This doesn't really belong in the nspawn patch. The reason it's in is nspawn was left after I split everything else into different patches. It's not a mistake, that labelling of /run/log/journal breaks systemd-journald and needs to be removed. When it's removed the entry for /var/run/log/journal takes over and gives the desired result. I don't know why /run/log/journal gets priority on my system. We need to fix this /run vs /var/run thing. We need one canonical name and we need to change everything to it. Chris, you want me to write a patch to change everything to /run? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/