From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id B8BE213877A for ; Tue, 26 Aug 2014 19:45:52 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A4179E08F4; Tue, 26 Aug 2014 19:45:51 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id EF937E08C0 for ; Tue, 26 Aug 2014 19:45:50 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id ECCA233F883 for ; Tue, 26 Aug 2014 19:45:49 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 2A2623EE5 for ; Tue, 26 Aug 2014 19:45:48 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1409064730.c1cf5db371b24eaaed3fbb1f8eaf713f371a61fa.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/kernel/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/kernel/files.fc X-VCS-Directories: policy/modules/kernel/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: c1cf5db371b24eaaed3fbb1f8eaf713f371a61fa X-VCS-Branch: perfinion Date: Tue, 26 Aug 2014 19:45:48 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: c06ed53b-5379-42ec-87a7-e5fc202e86a7 X-Archives-Hash: 37ec182b4dc390eb8c3c5fbba7d3b614 commit: c1cf5db371b24eaaed3fbb1f8eaf713f371a61fa Author: Nicolas Iooss m4x org> AuthorDate: Sat Aug 23 11:35:51 2014 +0000 Commit: Jason Zaman perfinion com> CommitDate: Tue Aug 26 14:52:10 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c1cf5db3 Label (/var)?/tmp/systemd-private-.../tmp like /tmp Such directories are used by systemd as private mountpoints for services. --- policy/modules/kernel/files.fc | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index 1a83f34..3c61990 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -191,6 +191,10 @@ ifdef(`distro_debian',` /tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /tmp/lost\+found/.* <> +/tmp/systemd-private-[^/]+ -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) +/tmp/systemd-private-[^/]+/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) +/tmp/systemd-private-[^/]+/tmp/.* <> + # # /usr # @@ -265,6 +269,9 @@ ifndef(`distro_redhat',` /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> +/var/tmp/systemd-private-[^/]+ -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) +/var/tmp/systemd-private-[^/]+/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) +/var/tmp/systemd-private-[^/]+/tmp/.* <> /var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0) ifdef(`distro_debian',`