From 7ff92a886afacbe309365d1f0c4524b5c7b293d0 Mon Sep 17 00:00:00 2001
From: cgzones <cgzones@googlemail.com>
Date: Thu, 16 Feb 2017 16:08:47 +0100
Subject: [PATCH] files: no default types for /run and /var/lock

encourage private types for /run and /var/lock by not providing default contexts anymore
---
 policy/modules/kernel/files.fc | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index 11bc31b36..d1f1b9615 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -155,11 +155,7 @@ HOME_ROOT/lost\+found/.*	<<none>>
 #
 /run			-d	gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
 /run			-l	gen_context(system_u:object_r:var_run_t,s0)
-/run/.*				gen_context(system_u:object_r:var_run_t,s0)
-/run/.*\.*pid			<<none>>
-
-/run/lock		-d	gen_context(system_u:object_r:var_lock_t,s0)
-/run/lock		-l	gen_context(system_u:object_r:var_lock_t,s0)
+/run/.*				<<none>>
 
 #
 # /selinux
@@ -243,7 +239,10 @@ ifndef(`distro_redhat',`
 
 /var/lib/nfs/rpc_pipefs(/.*)?	<<none>>
 
-/var/lock(/.*)?			gen_context(system_u:object_r:var_lock_t,s0)
+/var/lock		-d	gen_context(system_u:object_r:var_lock_t,s0-mls_systemhigh)
+/var/lock		-l	gen_context(system_u:object_r:var_lock_t,s0)
+/var/lock/subsys	-d	gen_context(system_u:object_r:var_lock_t,s0-mls_systemhigh)
+/var/lock/.*			<<none>>
 
 /var/log/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /var/log/lost\+found/.*		<<none>>