On Wed, 14.07.10 13:47, Daniel J Walsh (dwalsh@xxxxxxxxxx) wrote: > > Hardcoding foo_t is bad if they ever switch policy (MLS, etc.). But > > it is an option. > > > > Bill > Not sure this works, but this would be preferable. > ExecStartPre=-"/bin/mkdir -p /var/run/foo; restorecon /var/run/foo" Yes this would work, though in a different syntax: ExecStartPre=-/bin/mkdir -p /var/run/foo ; -/sbin/restorecon /var/run/foo (The initial - btw means that the exit code of the command is ignored) > But I can write policy to make the tools do apps do the right think and > label the directory correctly, with no hard coding. > > myapp_t creating a directory in var_run_t will be labeled > myapp_var_run_t. I would just need to go through all the policy that > uses var_run_t directories and make sure it has this rule. Hmm, if you would be willing to do that, then it would be great to find somebody who fixed the .specs and makes a list of packages whose selinux policy needs fixing. Anyone? Rahul you should vague interest on IRC? Lennart -- Lennart Poettering - Red Hat, Inc. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel