From 88a5f505104473b97d6f1f6774de2f9fb8d907c4 Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@defensec.nl>
Date: Sun, 27 Apr 2025 11:59:30 +0200
Subject: /run/lock fixes

its world writable like /tmp
default to none-spec inside there like /tmp
---
 src/file/runfile/runlockfile.cil | 4 +++-
 src/misc.cil                     | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/file/runfile/runlockfile.cil b/src/file/runfile/runlockfile.cil
index f790314..41f292c 100644
--- a/src/file/runfile/runlockfile.cil
+++ b/src/file/runfile/runlockfile.cil
@@ -3,7 +3,9 @@
 
 (block runlock
 
-  (blockinherit .file.runlock.template))
+  (blockinherit .file.runlock.template)
+
+  (call .rbacsep.exempt.obj.type (file)))
 
 (in file
 
diff --git a/src/misc.cil b/src/misc.cil
index 75e7a6a..81a3775 100644
--- a/src/misc.cil
+++ b/src/misc.cil
@@ -507,7 +507,9 @@
 (in runlock
 
     (filecon "/run/lock" dir file_context)
-    (filecon "/run/lock/.*" any file_context)
+    (filecon "/run/lock/.*" any ())
+
+    (filecon "/run/lock/subsys" dir file_context)
 
     (macro run_file_type_transition_file ((type ARG1))
 	   (call .run.file_type_transition
-- 
cgit v1.2.3