Christian Göttsche <cgzones@xxxxxxxxxxxxxx> writes: > Do not remove the runtime directory /run/setrans/, which is the parent > for the security context translation socket .setrans-unix, when the > service is stopped, so the path can not be taken over by a foreign > program, which could lead to a compromise of the context translation of > libselinux. > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> I lost Jim's Acked-by mail but according to https://lore.kernel.org/all/CAP+JOzSvvg_2pZ6aeLGs9Oqh2nK0zpBGAURwbofh9DSAT39iVw@xxxxxxxxxxxxxx/ it was acked and it's merged now. Thanks. > --- > mcstrans/src/mcstrans.service | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/mcstrans/src/mcstrans.service b/mcstrans/src/mcstrans.service > index c13cd09a..fdcfb0d4 100644 > --- a/mcstrans/src/mcstrans.service > +++ b/mcstrans/src/mcstrans.service > @@ -9,6 +9,7 @@ Conflicts=shutdown.target > [Service] > ExecStart=/sbin/mcstransd -f > RuntimeDirectory=setrans > +RuntimeDirectoryPreserve=true > > [Install] > WantedBy=multi-user.target > -- > 2.39.0
