/run/lock fixes

its world writable like /tmp default to none-spec inside there like /tmp
author: Dominick Grift <dominick.grift@defensec.nl> 2025-04-27 11:59:30 +0200
committer: Dominick Grift <dominick.grift@defensec.nl> 2025-04-27 11:59:30 +0200
commit: 88a5f505104473b97d6f1f6774de2f9fb8d907c4 (patch)
tree: f9f5a6f1875df46be8a495b665350dff5a6c849a
parent: 319fb10e64b4e00fb79ec23e6fca590eaa60c792 (diff)
download: selinux-policy-88a5f505104473b97d6f1f6774de2f9fb8d907c4.tar.gz
2 files changed, 6 insertions, 2 deletions
diff --git a/src/file/runfile/runlockfile.cil b/src/file/runfile/runlockfile.cil
index f790314..41f292c 100644
--- a/src/file/runfile/runlockfile.cil
+++ b/src/file/runfile/runlockfile.cil
@@ -3,7 +3,9 @@
 
 (block runlock
 
-  (blockinherit .file.runlock.template))
+  (blockinherit .file.runlock.template)
+
+  (call .rbacsep.exempt.obj.type (file)))
 
 (in file
 
diff --git a/src/misc.cil b/src/misc.cil
index 75e7a6a..81a3775 100644
--- a/src/misc.cil
+++ b/src/misc.cil
@@ -507,7 +507,9 @@
 (in runlock
 
     (filecon "/run/lock" dir file_context)
-    (filecon "/run/lock/.*" any file_context)
+    (filecon "/run/lock/.*" any ())
+
+    (filecon "/run/lock/subsys" dir file_context)
 
     (macro run_file_type_transition_file ((type ARG1))
 	   (call .run.file_type_transition
author	Dominick Grift <dominick.grift@defensec.nl>	2025-04-27 11:59:30 +0200
committer	Dominick Grift <dominick.grift@defensec.nl>	2025-04-27 11:59:30 +0200
commit	88a5f505104473b97d6f1f6774de2f9fb8d907c4 (patch)
tree	f9f5a6f1875df46be8a495b665350dff5a6c849a
parent	319fb10e64b4e00fb79ec23e6fca590eaa60c792 (diff)
download	selinux-policy-88a5f505104473b97d6f1f6774de2f9fb8d907c4.tar.gz