[refpolicy] [PATCH 0/7] Some simple core policy updates

[refpolicy] [PATCH 0/7] Some simple core policy updates

[Sven Vermeulen]

This is a small set of policy updates that have been in the Gentoo policy for a while and are ready for upstreaming.

Sven Vermeulen (7):
  Run grub(2)-mkconfig in bootloader domain
  New sudo manages timestamp directory in /var/run/sudo
  xfce4-notifyd is an executable
  Mark f2fs as a SELinux capable file system
  Add in LightDM contexts
  Add gfisk and efibootmgr as fsadm_exec_t
  Add /var/lib/racoon as runtime directory for ipsec

 policy/modules/admin/bootloader.fc    | 1 +
 policy/modules/admin/sudo.if          | 3 ++-
 policy/modules/kernel/corecommands.fc | 1 +
 policy/modules/kernel/filesystem.te   | 1 +
 policy/modules/services/xserver.fc    | 7 +++++++
 policy/modules/system/fstools.fc      | 2 ++
 policy/modules/system/ipsec.fc        | 2 ++
 7 files changed, 16 insertions(+), 1 deletion(-)

-- 
2.0.4

[refpolicy] [PATCH 1/7] Run grub(2)-mkconfig in bootloader domain

[Sven Vermeulen]

In order to write the grub configuration and perform the preliminary
checks, the grub-mkconfig command should run in the bootloader_t domain.
As such, update the file context definition to be bootloader_exec_t.
---
 policy/modules/admin/bootloader.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index d56f931..d908d56 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -9,4 +9,5 @@
 /usr/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/grub2?-bios-setup	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/grub2?-install	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/grub2?-mkconfig	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/grub2?-probe	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
-- 
2.0.4

[refpolicy] [PATCH 2/7] New sudo manages timestamp directory in /var/run/sudo

[Sven Vermeulen]

Allow sudo (1.8.9_p5 and higher) to handle /var/run/sudo/ts if it does
not exist (given the tmpfs nature of /var/run). This is done when sudo
is run in the user prefixed domain, and requires both the chown
capability as well as the proper file transition when /var/run/sudo is
created.
---
 policy/modules/admin/sudo.if | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index d9114b3..2ee052b 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -52,7 +52,7 @@ template(`sudo_role_template',`
 	#
 
 	# Use capabilities.
-	allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
+	allow $1_sudo_t self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource };
 	allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 	allow $1_sudo_t self:process { setexec setrlimit };
 	allow $1_sudo_t self:fd use;
@@ -117,6 +117,7 @@ template(`sudo_role_template',`
 	auth_run_chk_passwd($1_sudo_t, $2)
 	# sudo stores a token in the pam_pid directory
 	auth_manage_pam_pid($1_sudo_t)
+	auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
 	auth_use_nsswitch($1_sudo_t)
 
 	init_rw_utmp($1_sudo_t)
-- 
2.0.4

[refpolicy] [PATCH 3/7] xfce4-notifyd is an executable

[Sven Vermeulen]

---
 policy/modules/kernel/corecommands.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index c860d81..958fad7 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -239,6 +239,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/vte/gnome-pty-helper	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/exo-1/exo-helper-1 --	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/xfce4/notifyd/xfce4-notifyd -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/panel/migrate	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/panel/wrapper	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/session/balou-export-theme -- gen_context(system_u:object_r:bin_t,s0)
-- 
2.0.4

[refpolicy] [PATCH 4/7] Mark f2fs as a SELinux capable file system

[Sven Vermeulen]

Since Linux kernel 3.11, F2FS supports XATTR and the security namespace.
See commit
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8ae8f1627f39bae505b90cade50cd8a911b8bda6
---
 policy/modules/kernel/filesystem.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index cf04fb7..fd1e7fe 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -27,6 +27,7 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr f2fs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
-- 
2.0.4

[refpolicy] [PATCH 5/7] Add in LightDM contexts

[Sven Vermeulen]

---
 policy/modules/services/xserver.fc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 3fe4eef..71b307c 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -22,6 +22,8 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 /etc/gdm(3)?/PreSession/.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/gdm(3)?/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
 
+/etc/lightdm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
+
 /etc/kde[34]?/kdm/Xstartup --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/kde[34]?/kdm/Xreset --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/kde[34]?/kdm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -92,12 +94,16 @@ ifndef(`distro_debian',`
 
 /var/[xgkw]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
 
+/var/cache/lightdm(/.*)?	gen_context(system_u:object_r:xdm_var_lib_t,s0)
+
 /var/lib/gdm(3)?(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/lightdm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
 /var/lib/lxdm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
 /var/lib/[xkw]dm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
 /var/lib/xkb(/.*)?		gen_context(system_u:object_r:xkb_var_lib_t,s0)
 
 /var/log/[kwx]dm\.log.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/lightdm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/lxdm\.log	--	gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/gdm(3)?(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/slim\.log	--	gen_context(system_u:object_r:xserver_log_t,s0)
@@ -107,6 +113,7 @@ ifndef(`distro_debian',`
 /var/run/gdm(3)?(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/gdm(3)?\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/xdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lightdm(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/lxdm\.auth	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/lxdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/lxdm(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
-- 
2.0.4

[refpolicy] [PATCH 6/7] Add gfisk and efibootmgr as fsadm_exec_t

[Sven Vermeulen]

---
 policy/modules/system/fstools.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 3101274..d10368d 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -51,8 +51,10 @@
 /usr/sbin/addpart	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/clubufflush	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/delpart	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/efibootmgr	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/fatsort	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/fsck.*	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/gdisk		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/mkfs.*	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/parted	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/partprobe	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-- 
2.0.4

[refpolicy] [PATCH 7/7] Add /var/lib/racoon as runtime directory for ipsec

[Sven Vermeulen]

---
 policy/modules/system/ipsec.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index 662e79b..0f1e351 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -31,6 +31,8 @@
 /usr/sbin/racoon		--	gen_context(system_u:object_r:racoon_exec_t,s0)
 /usr/sbin/setkey		--	gen_context(system_u:object_r:setkey_exec_t,s0)
 
+/var/lib/racoon(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
+
 /var/lock/subsys/ipsec		--	gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
 
 /var/log/pluto\.log		--	gen_context(system_u:object_r:ipsec_log_t,s0)
-- 
2.0.4

[refpolicy] [PATCH 2/7] New sudo manages timestamp directory in /var/run/sudo

[Nicolas Iooss]

2014-11-22 19:54 GMT+01:00 Sven Vermeulen:
> [...]
> --- a/policy/modules/admin/sudo.if
> +++ b/policy/modules/admin/sudo.if
> @@ -52,7 +52,7 @@ template(`sudo_role_template',`
>         #
>
>         # Use capabilities.
> -       allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
> +       allow $1_sudo_t self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource };
>         allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
>         allow $1_sudo_t self:process { setexec setrlimit };
>         allow $1_sudo_t self:fd use;
> @@ -117,6 +117,7 @@ template(`sudo_role_template',`
>         auth_run_chk_passwd($1_sudo_t, $2)
>         # sudo stores a token in the pam_pid directory
>         auth_manage_pam_pid($1_sudo_t)
> +       auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")

This interface does not exist in refpolicy and the build fails because
of this. Gentoo policy defines it in authlogin.if and the definition
looks good to me:
https://github.com/sjvermeu/hardened-refpolicy/blob/9d229675d7084facc9592f1ddab5f976337524f4/policy/modules/system/authlogin.if#L1811

Thanks,

Nicolas

[refpolicy] [PATCH 2/7] New sudo manages timestamp directory in /var/run/sudo

[Sven Vermeulen]

Good catch, I checked against the wrong repo :-( Thanks.

I've resent it with the interface added (although I got the mails
twice now, my git send-email-fu is not at its peak right now).

Wkr,
  Sven Vermeulen

2014-11-22 20:55 GMT+01:00 Nicolas Iooss <nicolas.iooss@m4x.org>:
> 2014-11-22 19:54 GMT+01:00 Sven Vermeulen:
>> [...]
>> --- a/policy/modules/admin/sudo.if
>> +++ b/policy/modules/admin/sudo.if
>> @@ -52,7 +52,7 @@ template(`sudo_role_template',`
>>         #
>>
>>         # Use capabilities.
>> -       allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
>> +       allow $1_sudo_t self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource };
>>         allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
>>         allow $1_sudo_t self:process { setexec setrlimit };
>>         allow $1_sudo_t self:fd use;
>> @@ -117,6 +117,7 @@ template(`sudo_role_template',`
>>         auth_run_chk_passwd($1_sudo_t, $2)
>>         # sudo stores a token in the pam_pid directory
>>         auth_manage_pam_pid($1_sudo_t)
>> +       auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
>
> This interface does not exist in refpolicy and the build fails because
> of this. Gentoo policy defines it in authlogin.if and the definition
> looks good to me:
> https://github.com/sjvermeu/hardened-refpolicy/blob/9d229675d7084facc9592f1ddab5f976337524f4/policy/modules/system/authlogin.if#L1811
>
> Thanks,
>
> Nicolas
>

[refpolicy] [PATCH 2/7] New sudo manages timestamp directory in /var/run/sudo

[Dominick Grift]

On Sat, Nov 22, 2014 at 10:19:47PM +0100, Sven Vermeulen wrote:
> Good catch, I checked against the wrong repo :-( Thanks.
> 
> I've resent it with the interface added (although I got the mails
> twice now, my git send-email-fu is not at its peak right now).
> 
> Wkr,
>   Sven Vermeulen
> 
> 2014-11-22 20:55 GMT+01:00 Nicolas Iooss <nicolas.iooss@m4x.org>:
> > 2014-11-22 19:54 GMT+01:00 Sven Vermeulen:
> >> [...]
> >> --- a/policy/modules/admin/sudo.if
> >> +++ b/policy/modules/admin/sudo.if
> >> @@ -52,7 +52,7 @@ template(`sudo_role_template',`
> >>         #
> >>
> >>         # Use capabilities.
> >> -       allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
> >> +       allow $1_sudo_t self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource };
> >>         allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
> >>         allow $1_sudo_t self:process { setexec setrlimit };
> >>         allow $1_sudo_t self:fd use;
> >> @@ -117,6 +117,7 @@ template(`sudo_role_template',`
> >>         auth_run_chk_passwd($1_sudo_t, $2)
> >>         # sudo stores a token in the pam_pid directory
> >>         auth_manage_pam_pid($1_sudo_t)
> >> +       auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
> >
> > This interface does not exist in refpolicy and the build fails because
> > of this. Gentoo policy defines it in authlogin.if and the definition
> > looks good to me:
> > https://github.com/sjvermeu/hardened-refpolicy/blob/9d229675d7084facc9592f1ddab5f976337524f4/policy/modules/system/authlogin.if#L1811
> >

I do not see how /var/run/sudo is associated with pam

-- 
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141123/b28f95b3/attachment.bin 

[refpolicy] [PATCH 2/7] New sudo manages timestamp directory in /var/run/sudo

[Sven Vermeulen]

2014-11-23 13:50 GMT+01:00 Dominick Grift <dac.override@gmail.com>:
>> >> @@ -117,6 +117,7 @@ template(`sudo_role_template',`
>> >>         auth_run_chk_passwd($1_sudo_t, $2)
>> >>         # sudo stores a token in the pam_pid directory
>> >>         auth_manage_pam_pid($1_sudo_t)
>> >> +       auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
>> >
>> > This interface does not exist in refpolicy and the build fails because
>> > of this. Gentoo policy defines it in authlogin.if and the definition
>> > looks good to me:
>> > https://github.com/sjvermeu/hardened-refpolicy/blob/9d229675d7084facc9592f1ddab5f976337524f4/policy/modules/system/authlogin.if#L1811
>> >
>
> I do not see how /var/run/sudo is associated with pam

The authlogin.fc already contains the following:

/var/run/sudo(/.*)?             gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/user(/.*)?             gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|adm)/sudo(/.*)?        gen_context(system_u:object_r:pam_var_run_t,s0)
/var/lib/sudo(/.*)?     gen_context(system_u:object_r:pam_var_run_t,s0)

I don't know if it is legacy, or because some PAM modules require a
more common access pattern. In any case, this file transition is only
to keep the application (and policy) running as-is -- without it,
users need to run "restorecon -R /var/run/sudo" every time their
system is started.

Wkr,
  Sven Vermeulen

[refpolicy] [PATCH 2/7] New sudo manages timestamp directory in /var/run/sudo

[Dominick Grift]

On Sun, Nov 23, 2014 at 03:09:44PM +0100, Sven Vermeulen wrote:
> 2014-11-23 13:50 GMT+01:00 Dominick Grift <dac.override@gmail.com>:
> >> >> @@ -117,6 +117,7 @@ template(`sudo_role_template',`
> >> >>         auth_run_chk_passwd($1_sudo_t, $2)
> >> >>         # sudo stores a token in the pam_pid directory
> >> >>         auth_manage_pam_pid($1_sudo_t)
> >> >> +       auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
> >> >
> >> > This interface does not exist in refpolicy and the build fails because
> >> > of this. Gentoo policy defines it in authlogin.if and the definition
> >> > looks good to me:
> >> > https://github.com/sjvermeu/hardened-refpolicy/blob/9d229675d7084facc9592f1ddab5f976337524f4/policy/modules/system/authlogin.if#L1811
> >> >
> >
> > I do not see how /var/run/sudo is associated with pam
> 
> The authlogin.fc already contains the following:
> 
> /var/run/sudo(/.*)?             gen_context(system_u:object_r:pam_var_run_t,s0)
> /var/run/user(/.*)?             gen_context(system_u:object_r:var_auth_t,s0)
> /var/(db|adm)/sudo(/.*)?        gen_context(system_u:object_r:pam_var_run_t,s0)
> /var/lib/sudo(/.*)?     gen_context(system_u:object_r:pam_var_run_t,s0)
> 
> I don't know if it is legacy, or because some PAM modules require a
> more common access pattern. In any case, this file transition is only
> to keep the application (and policy) running as-is -- without it,
> users need to run "restorecon -R /var/run/sudo" every time their
> system is started.
> 

Yea, probably legacy. Just sayin' though ideally it should probably not be associated with pam_var_run_t in my view.

-- 
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141123/b940c87b/attachment.bin 

[refpolicy] [PATCH 2/7] New sudo manages timestamp directory in /var/run/sudo

[Christopher J. PeBenito]

On 11/23/2014 9:40 AM, Dominick Grift wrote:
> On Sun, Nov 23, 2014 at 03:09:44PM +0100, Sven Vermeulen wrote:
>> 2014-11-23 13:50 GMT+01:00 Dominick Grift
>> <dac.override@gmail.com>:
>>>>>> @@ -117,6 +117,7 @@ template(`sudo_role_template',` 
>>>>>> auth_run_chk_passwd($1_sudo_t, $2) # sudo stores a token
>>>>>> in the pam_pid directory auth_manage_pam_pid($1_sudo_t) +
>>>>>> auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
>>>>> 
>>>>> This interface does not exist in refpolicy and the build
>>>>> fails because of this. Gentoo policy defines it in
>>>>> authlogin.if and the definition looks good to me: 
>>>>> https://github.com/sjvermeu/hardened-refpolicy/blob/9d229675d7084facc9592f1ddab5f976337524f4/policy/modules/system/authlogin.if#L1811
>>>>>
>>>
>>>
>>>>> 
I do not see how /var/run/sudo is associated with pam
>> 
>> The authlogin.fc already contains the following:
>> 
>> /var/run/sudo(/.*)?
>> gen_context(system_u:object_r:pam_var_run_t,s0) 
>> /var/run/user(/.*)?
>> gen_context(system_u:object_r:var_auth_t,s0) 
>> /var/(db|adm)/sudo(/.*)?
>> gen_context(system_u:object_r:pam_var_run_t,s0) 
>> /var/lib/sudo(/.*)?
>> gen_context(system_u:object_r:pam_var_run_t,s0)
>> 
>> I don't know if it is legacy, or because some PAM modules require
>> a more common access pattern. In any case, this file transition
>> is only to keep the application (and policy) running as-is --
>> without it, users need to run "restorecon -R /var/run/sudo" every
>> time their system is started.
>> 
> 
> Yea, probably legacy. Just sayin' though ideally it should probably
> not be associated with pam_var_run_t in my view.

I agree, but will take it for now, since something like it already
exists in the policy.  If we can find a better solution, I'll take
that too.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com