Without /run, most init scripts use /var/run/<service> as their var_run_t location (like sshd_var_run_t). This location is often created by a package and, by just setting the right context, the package manager makes this location correctly labeled from the start. With /run however, these directories are (re)created over and over again at every boot (since /run is a tmpfs). The directories are often created by init scripts, running in initrc_t but are otherwise not SELinux-aware. As a result, all created directories in /run inherit the initrc_var_run_t label. Although one fix could be to update all init scripts to run "restorecon" afterwards, this might be fixed by the policy as well (using named file transitions). Reproducible: Always
Necessary named file transitions will be supported in r11
In hardened-dev overlay, rev 11
In main tree, ~arch'ed
Stabilized