lockfile: Keep lockfile owned by root
On Fedora 28, sanlock fails to create the lockfile before dropping
privileges, because /run/sanlock is owned by sanlock, and selinux
disables DAC_OVERRIDE.
To allow root to create the lockfile before dropping privileges
/run/sanlock is owned by group root, and group writable. Since sanlock
never write to the lockfile after dropping privileges, keep the lockfile
owned by root.
Here are /run/sanlock permissions with this change:
$ ls -lhdZ /run/sanlock
drwxrwxr-x. 2 sanlock root system_u:object_r:sanlock_var_run_t:s0 80 Nov 29 23:07 /run/sanlock
$ ls -lhZ /run/sanlock
total 4.0K
-rw-r--r--. 1 root root system_u:object_r:sanlock_var_run_t:s0 5 Nov 29 23:07 sanlock.pid
srw-rw----. 1 sanlock sanlock system_u:object_r:sanlock_var_run_t:s0 0 Nov 29 23:07 sanlock.sock
Signed-off-by: Nir Soffer <nsoffer@redhat.com>