From d981fce3e111f53a4b55dde97fdc83edc0c8017b Mon Sep 17 00:00:00 2001
From: Sven Vermeulen <sven.vermeulen@siphos.be>
Date: Tue, 30 Oct 2012 22:51:56 +0100
Subject: [PATCH] Update files_manage_generic_locks with directory permissions

Currently, the files_manage_generic_locks only handles the lock files. If a
domain needs to manage both lock files and the lock directories (like specific
subdirectories in /var/lock that are not owned by a single other domain, such as
Gentoo's /var/lock/subsys location) it also needs the manage permissions on the
directory.

This is to support OpenRC's migration of /var/lock to /run/lock which otherwise
fails:

* Migrating /var/lock to /run/lock
cp: cannot create directory '/run/lock/subsys': Permission denied
rm: cannot remove '/var/lock/subsys': Permission denied

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/kernel/files.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 7c4b4ae33..1f0c6f8cf 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -5818,6 +5818,7 @@ interface(`files_manage_generic_locks',`
 
 	allow $1 var_t:dir search_dir_perms;
 	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+	manage_dirs_pattern($1, var_lock_t, var_lock_t)
 	manage_files_pattern($1, var_lock_t, var_lock_t)
 ')