Attempt to label /run/ipc* content correctly

Signed-off-by: Daniel J Walsh <[email protected]>
sandrobonazzola · Jun 25, 2024 · a7fbb63 · a7fbb63
1 parent 4b8f2f0
commit a7fbb63
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/qm.fc b/qm.fc
@@ -11,5 +11,5 @@
 
 # File context for ipc programs
 /usr/bin/ipc-demo	gen_context(system_u:object_r:ipc_exec_t,s0)
-/run/ipc-demo(/.*)?	gen_context(system_u:object_r:ipc_var_run_t,s0)
-/run/ipc(/.*)?	gen_context(system_u:object_r:ipc_var_run_t,s0)
+/var/run/ipc-demo(/.*)?	gen_context(system_u:object_r:ipc_var_run_t,s0)
+/var/run/ipc(/.*)?	gen_context(system_u:object_r:ipc_var_run_t,s0)
diff --git a/qm.te b/qm.te
@@ -3,6 +3,7 @@ policy_module(qm, 0.6.4)
 gen_require(`
 	attribute container_file_type;
 	attribute container_runtime_domain;
+	type init_t;
 ')
 
 type ipc_t;
@@ -23,6 +24,8 @@ files_pid_file(ipc_var_run_t)
 files_mountpoint(ipc_var_run_t)
 
 files_pid_filetrans(ipc_t, ipc_var_run_t, { dir file lnk_file sock_file })
+files_pid_filetrans(init_t, ipc_var_run_t, dir, "ipc-demo")
+files_pid_filetrans(init_t, ipc_var_run_t, dir, "ipc")
 
 unconfined_domain(ipc_t)