With initramfs 0.99, udev now uses /run/udev so that also needs to be
labelled. Updated patch attached.
Notes:
- Adds label for /var/run/udev instead of /run/udev because of the
substitution in file_contexts.subs.
- I used udev_tbl_t instead of udev_var_run_t because this is the same
data that used to be in /dev/.udev.
Best wishes,
--
Martin Orr
diff -Nwaru 20100524-9/debian/changelog 20100524-9+orr/debian/changelog
--- 20100524-9/debian/changelog 2011-05-14 11:39:40.000000000 +0100
+++ 20100524-9+orr/debian/changelog 2011-05-14 14:35:14.396000890 +0100
@@ -1,3 +1,9 @@
+refpolicy (2:0.2.20100524-9+orr1) unstable; urgency=low
+
+ * Add file_contexts.subs_dist
+
+ -- Martin Orr <mar...@martinorr.name> Sat, 14 May 2011 14:35:04 +0100
+
refpolicy (2:0.2.20100524-9) unstable; urgency=low
* Make gnome.pp not be autoloaded and revert some of the gnome stuff from the
diff -Nwaru 20100524-9/debian/file_contexts.subs_dist 20100524-9+orr/debian/file_contexts.subs_dist
--- 20100524-9/debian/file_contexts.subs_dist 1970-01-01 01:00:00.000000000 +0100
+++ 20100524-9+orr/debian/file_contexts.subs_dist 2011-05-14 14:31:17.316000865 +0100
@@ -0,0 +1,5 @@
+/run /var/run
+/run/lock /var/lock
+/var/run/lock /var/lock
+/run/shm /dev/shm
+/var/run/shm /dev/shm
diff -Nwaru 20100524-9/debian/local.mk 20100524-9+orr/debian/local.mk
--- 20100524-9/debian/local.mk 2011-05-14 11:39:40.000000000 +0100
+++ 20100524-9+orr/debian/local.mk 2011-05-14 14:36:39.616000898 +0100
@@ -213,6 +213,7 @@
rm -f $(TMPTOP)/usr/share/selinux/mls/$$module.pp; \
done
$(install_file) debian/setrans.conf $(TMPTOP)/etc/selinux/mls/
+ $(install_file) debian/file_contexts.subs_dist $(TMPTOP)/etc/selinux/mls/contexts/files/
$(install_file) VERSION $(DOCDIR)/
$(install_file) README $(DOCDIR)/
$(install_file) debian/README.Debian $(DOCDIR)/
@@ -249,6 +250,7 @@
rm -f $(TMPTOP)/usr/share/selinux/default/$$module.pp; \
done
$(install_file) debian/setrans.conf $(TMPTOP)/etc/selinux/default/
+ $(install_file) debian/file_contexts.subs_dist $(TMPTOP)/etc/selinux/default/contexts/files/
$(install_file) VERSION $(DOCDIR)/
$(install_file) README $(DOCDIR)/
$(install_file) debian/README.Debian $(DOCDIR)/
diff -Nwaru 20100524-9/policy/modules/kernel/files.if 20100524-9+orr/policy/modules/kernel/files.if
--- 20100524-9/policy/modules/kernel/files.if 2011-05-14 11:39:40.000000000 +0100
+++ 20100524-9+orr/policy/modules/kernel/files.if 2011-05-14 17:19:18.616001017 +0100
@@ -4861,6 +4861,7 @@
type var_t, var_lock_t;
')
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
@@ -4899,6 +4900,7 @@
type var_t, var_lock_t;
')
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
rw_dirs_pattern($1, var_t, var_lock_t)
')
@@ -4918,6 +4920,7 @@
')
allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
@@ -4939,6 +4942,7 @@
')
allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
manage_files_pattern($1, var_lock_t, var_lock_t)
')
@@ -4960,6 +4964,7 @@
')
allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
delete_files_pattern($1, lockfile, lockfile)
')
@@ -4980,6 +4985,7 @@
')
allow $1 { var_t var_lock_t }:dir search_dir_perms;
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
@@ -5002,6 +5008,7 @@
')
allow $1 { var_t var_lock_t }:dir search_dir_perms;
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
@@ -5034,6 +5041,7 @@
')
allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
filetrans_pattern($1, var_lock_t, $2, $3)
')
@@ -5072,6 +5080,7 @@
type var_t, var_run_t;
')
+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -5110,6 +5119,7 @@
type var_t, var_run_t;
')
+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
list_dirs_pattern($1, var_t, var_run_t)
')
@@ -5128,6 +5138,7 @@
type var_t, var_run_t;
')
+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
@@ -5185,6 +5196,7 @@
')
allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
filetrans_pattern($1, var_run_t, $2, $3)
')
@@ -5203,6 +5215,7 @@
type var_t, var_run_t;
')
+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
list_dirs_pattern($1, var_t, var_run_t)
rw_files_pattern($1, var_run_t, var_run_t)
')
@@ -5242,6 +5255,7 @@
')
allow $1 var_t:dir search;
+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
allow $1 var_run_t:dir manage_dir_perms;
')
@@ -5298,6 +5312,7 @@
type var_t;
')
+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
')
@@ -5363,6 +5378,7 @@
')
allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
delete_dirs_pattern($1, pidfile, pidfile)
')
diff -Nwaru 20100524-9/policy/modules/system/udev.fc 20100524-9+orr/policy/modules/system/udev.fc
--- 20100524-9/policy/modules/system/udev.fc 2011-05-14 11:39:40.000000000 +0100
+++ 20100524-9+orr/policy/modules/system/udev.fc 2011-05-27 11:08:37.388000046 +0100
@@ -27,3 +27,4 @@
/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0)
