Commit Graph

26 Commits

Author SHA1 Message Date
Lukas Vrabec
9fb60ef78a
Add equivalence to /var/named/chroot/ /var
Resolves: rhbz#1525641
2019-10-25 10:16:01 +02:00
Jonathan Lebon
c9e40e083e Drop /var/home -> /home equivalency rule
This was previously needed because on RPM-OSTree systems, user homes
were located in `/var/home` while the default home specified in
`etc/default/useradd` was still `/home`. This meant that `genhomedircon`
(which parses `/etc/default/useradd` to find the homedir) rendered the
`HOME_DIR` template rules as `/home` into `file_contexts.homedirs`. So
then, we needed this equivalency rule so that `/var/home/...` was
equivalent to the generated `/home/...` rules.

Now however, RPM-OSTree correctly fixes `/etc/default/useradd` to point
to `/var/home` [1]. This now means that `file_contexts.homedirs` does
correctly hold `/var/home/...` rules. Thus we no longer need this
equivalency rule. In fact, it now actively prevents proper labeling of
the home dirs since `/home/...` is now considered `default_t` [2]. If
anything, we'd want the *inverse* rule of `/home --> `/var/home`, but
only on RPM-OSTree systems, which I'm not sure how easy it'd be to do
here. In practice, since SELinux uses the resolved path before matching
a rule, all paths under `/home/...` will end up as `/var/home/...`.

IOW, the hack we added to make `/var/home` labeled like `/home` on
RPM-OSTree systems is no longer needed now that RPM-OSTree correctly
sets `HOME`, which SELinux picks up on.

As for root's home, it's part of the main context list and isn't
templated, so it's always `/root`, and so we do still need the
equivalency rule there.

[1] https://github.com/projectatomic/rpm-ostree/pull/1726
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1669982
2019-02-06 10:53:08 -05:00
Lukas Vrabec
afcdb03a67
Adding missing equivalency rules to be able do proper configuration of polyinstation 2018-06-06 16:09:30 +02:00
Lukas Vrabec
dd15940cc3
Fedora Atomic host using for temp files /sysroot/tmp patch, we should label same as /tmp adding file context equivalence BZ(1559531) 2018-03-26 15:47:43 +02:00
Lukas Vrabec
03b39f31e5 Add label for /sbin symlink 2017-03-02 17:56:48 +01:00
Dan Walsh
0a779634f4 Label genrator.late correctly 2014-09-21 07:36:03 -04:00
Dan Walsh
0ecd68b2f1 Add alternate labels for named chrot directory 2014-04-22 08:41:22 -04:00
Miroslav Grepl
2a6e2e714e Add /var/roothome /root subs 2014-02-27 09:40:04 +01:00
Miroslav Grepl
7741f63587 Remove /usr/local /usr equiv 2014-02-18 15:49:35 +01:00
Dan Walsh
9a76d63b01 Add subs for /var/home and /var/root 2014-02-14 15:21:51 -05:00
Dan Walsh
ce08937c78 Fix the label of of /run/systemd/generator directory 2013-04-06 07:53:58 -04:00
Dan Walsh
43a40ee0c7 Revert "Fix labels subs to use /var/run rather then /run, since /run will be ignored"
This reverts commit 40cef5a361.
2013-03-25 10:49:09 -04:00
Dan Walsh
620bf3d88c Revert "Fix labels subs to use /var/run rather then /run, since /run will be ignored"
This reverts commit a0515201e5.
2013-03-25 10:48:45 -04:00
Dan Walsh
a0515201e5 Fix labels subs to use /var/run rather then /run, since /run will be ignored 2013-03-25 10:36:45 -04:00
Dan Walsh
40cef5a361 Fix labels subs to use /var/run rather then /run, since /run will be ignored 2013-03-25 10:36:00 -04:00
Miroslav Grepl
a270091f19 Make rawhide == f18 2012-12-17 17:21:00 +01:00
Dan Walsh
4dd322f258 Add equivalency for /usr/local -> /usr 2012-07-30 10:05:45 -04:00
Dan Walsh
9382499c6f Fix file_context.subs_dist for now to work with pre usrmove 2012-01-31 15:26:31 -05:00
Dan Walsh
cde75b4cef Remove /lib64 subs since this is not a link, swithc /lib/systemd to /usr/lib since the usrmove 2012-01-30 14:58:40 -05:00
Dan Walsh
74900d5a94 Add guest home spec 2011-11-16 10:58:16 -05:00
Dan Walsh
06b46a174e Make users_extra and seusers.final into config(noreplace) so semanage users and login does not get overwritten 2011-08-23 14:13:40 -04:00
Dan Walsh
10f0de0090 livecd fixes
spec file fixes
2011-08-10 14:00:28 -04:00
Dan Walsh
32e78857c1 Removing /usr/lib/debug subs_dist entry. This did not work properly, we need to go back to labeling based on lib_t 2011-07-05 10:45:44 -04:00
Dan Walsh
857c813190 Eliminate olpc stuff and other no longer needed files. Update to new system to build policy.* file within payload. 2011-06-09 22:36:45 -04:00
Dan Walsh
8f6432aac9 Label stuff under /usr/lib/debug as if it was labeled under / 2011-06-06 13:11:10 -04:00
Dan Walsh
86354fa4cc Remove lib64 mapping and use subs. change subs name to file_context.subs_dist 2011-04-05 15:30:24 -04:00