commit: ca23f74eb96deca16ed2cd98f551436ff80093b9 Author: cgzones <cgzones <AT> googlemail <DOT> com> AuthorDate: Thu Feb 16 15:08:47 2017 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Tue Feb 21 06:40:52 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ca23f74e
files: no default types for /run and /var/lock encourage private types for /run and /var/lock by not providing default contexts anymore policy/modules/kernel/files.fc | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index 39491e9d..5d2c0c58 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -155,11 +155,7 @@ HOME_ROOT/lost\+found/.* <<none>> # /run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh) /run -l gen_context(system_u:object_r:var_run_t,s0) -/run/.* gen_context(system_u:object_r:var_run_t,s0) -/run/.*\.*pid <<none>> - -/run/lock -d gen_context(system_u:object_r:var_lock_t,s0) -/run/lock -l gen_context(system_u:object_r:var_lock_t,s0) +/run/.* <<none>> # # /selinux @@ -243,7 +239,10 @@ ifndef(`distro_redhat',` /var/lib/nfs/rpc_pipefs(/.*)? <<none>> -/var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0) +/var/lock -d gen_context(system_u:object_r:var_lock_t,s0-mls_systemhigh) +/var/lock -l gen_context(system_u:object_r:var_lock_t,s0) +/var/lock/subsys -d gen_context(system_u:object_r:var_lock_t,s0-mls_systemhigh) +/var/lock/.* <<none>> /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/log/lost\+found/.* <<none>>
