Skip to content

Commit

Permalink
/var/run is a symlink to /run in microos.
Browse files Browse the repository at this point in the history
Currently the selinux-policy package has a rule for file contexts
from /run/<file> to use the same file context specified in /var/run/<file>.

The upcoming main selinux-policy package update will change the direction
of that "forwarding", so /var/run will follow the rules in /run.
This way, the file context entries will match the actual filesystem path.

All existing file context entries in custom modules
based on the /var/run path need to change to /run, otherwise there is no rule
for /var/run entries to "be forwarded to" in /run.

Signed-off-by: Cathy Hu <[email protected]>
  • Loading branch information
ca-hu committed Apr 11, 2024
1 parent a370547 commit 93d3c8d
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions policy/microos/k3s.fc
Original file line number Diff line number Diff line change
Expand Up @@ -23,5 +23,5 @@
/var/lib/rancher/k3s/data/[^/]*/bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/var/lib/rancher/k3s/data/[^/]*/etc(/.*)? gen_context(system_u:object_r:container_config_t,s0)
/var/lib/rancher/k3s/storage(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
/var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)

0 comments on commit 93d3c8d

Please sign in to comment.