[HEADS-UP] Moving /var/run and /var/lock to tmpfs in Rawhide
paul at city-fan.org
Tue Nov 30 21:17:27 UTC 2010
On Tue, 30 Nov 2010 16:10:20 -0500 (EST)
Paul Wouters <paul at xelerance.com> wrote:
> On Tue, 30 Nov 2010, Tomasz Torcz wrote:
> >> I would really like to avoid having THREE places to create
> >> directories in /var/run and /var/lock, those being spec file, init
> >> scripts AND tmpfiles.d
> > Scratch the initscript. This would mean initscript would need to
> > contain multiple
> > ExecStartPre=/sbin/mkdir --mode=777 /var/run/xx; /bin/chown
> > x.x /var/run/xx; /sbin/restorecon /var/run/xx lines, which look
> > unwieldy.
> why not
> mkdir -p /var/run/xx
> [ ! -d /var/run/xx ] && mkdir -p /var/run/xx
> Can't selinux pickup things without a restorecon? And what is the
> problem another (root) process screwing over a pid or lock file?
> Can't SElinux lock that down from the /var/run level?
/var/run is var_run_t in targeted policy, but hardly anything below
/var/run is - almost every subdir/file has its own context type.
Just creating a file/directory within /var/run using the initscript will
inherit the var_run_t, which in most cases is not what's needed, hence
the need for restorecon.
Having the daemon create the file/dir works better because there will
be a type transition defined in policy that results in the correct
context type being used.
More information about the devel