From 88a5f505104473b97d6f1f6774de2f9fb8d907c4 Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@defensec.nl>
Date: Sun, 27 Apr 2025 11:59:30 +0200
Subject: /run/lock fixes

its world writable like /tmp
default to none-spec inside there like /tmp
---
 src/misc.cil | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'src/misc.cil')

diff --git a/src/misc.cil b/src/misc.cil
index 75e7a6a..81a3775 100644
--- a/src/misc.cil
+++ b/src/misc.cil
@@ -507,7 +507,9 @@
 (in runlock
 
     (filecon "/run/lock" dir file_context)
-    (filecon "/run/lock/.*" any file_context)
+    (filecon "/run/lock/.*" any ())
+
+    (filecon "/run/lock/subsys" dir file_context)
 
     (macro run_file_type_transition_file ((type ARG1))
 	   (call .run.file_type_transition
-- 
cgit v1.2.3