This set contains a few more /run changes:
- dhcpc creates /run/dhcpc (through scripts in the dhcpcd-hooks)
- dbus' init script creates /run/dbus
- mysql' init script creates /run/mysqld
It will be submitted separately: first the changes to the contrib modules,
followed by the changes to the core policy modules.
This one is for the contrib modules
Changes since v1
----------------
- The init script for mysql also needs setattr rights on the run dirs
Sven Vermeulen (2):
Introducing interfaces for /run transitioning
Introduce interfaces for mysql /run support
dbus.if | 47 ++++++++++++++++++++++++++++++++++++++++++++
mysql.if | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 112 insertions(+), 0 deletions(-)
--
1.7.8.6
To allow the dbus init scripts to, when they create the /run/dbus directory,
automatically transition towards the system_dbusd_var_run_t label, we need to
introduce two interfaces: one for the transitioning itself, and one to allow the
init script to create directories of system_dbusd_var_run_t type.
Signed-off-by: Sven Vermeulen <[email protected]>
---
dbus.if | 47 +++++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 47 insertions(+), 0 deletions(-)
diff --git a/dbus.if b/dbus.if
index fb4bf82..b0322b5 100644
--- a/dbus.if
+++ b/dbus.if
@@ -485,6 +485,53 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
########################################
## <summary>
+## Automatically transition towards the system_dbus_var_run_t for resources
+## created in the generic var_run_t locations.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## Classes supported for the transitioning
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## Optional file name used for the resources
+## </summary>
+## </param>
+#
+interface(`dbus_generic_pid_filetrans_system_dbusd_run',`
+ gen_require(`
+ type system_dbusd_var_run_t;
+ ')
+
+ files_pid_filetrans($1, system_dbusd_var_run_t, $2, $3)
+')
+
+##########################################
+## <summary>
+## Create directories with the system_dbusd_var_run_t label
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`dbus_create_system_dbusd_run_dirs',`
+ gen_require(`
+ type system_dbusd_var_run_t;
+ ')
+
+ create_dirs_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+')
+
+########################################
+## <summary>
## Allow unconfined access to the system DBUS.
## </summary>
## <param name="domain">
--
1.7.8.6
To allow the mysql init scripts to create /run/mysqld, we need to include three
interfaces from mysql: one to support the file transition towards
mysqld_var_run_t, one to allow the init scripts to create
mysqld_var_run_t-labeled directories and one to change the attributes of the
directory (change ownership)
Signed-off-by: Sven Vermeulen <[email protected]>
---
mysql.if | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 65 insertions(+), 0 deletions(-)
diff --git a/mysql.if b/mysql.if
index e9c0982..6b9b5f5 100644
--- a/mysql.if
+++ b/mysql.if
@@ -311,6 +311,71 @@ interface(`mysql_search_pid_files',`
search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
')
+#######################################
+## <summary>
+## Automatically use the MySQL run label for created resources in the
+## generic run location(s).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to have automatic transitioning
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## Resource class for which an automatic transition should occur
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## The name of the resource being created
+## </summary>
+## </param>
+#
+interface(`mysql_generic_run_filetrans_pid',`
+ gen_require(`
+ type mysqld_var_run_t;
+ ')
+
+ files_pid_filetrans($1, mysqld_var_run_t, $2, $3)
+')
+
+#######################################
+## <summary>
+## Change the attributes of the MySQL run dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mysql_setattr_run_dirs',`
+ gen_require(`
+ type mysqld_var_run_t;
+ ')
+
+ setattr_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
+')
+
+#######################################
+## <summary>
+## Create MySQLd run directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mysql_create_run_dirs',`
+ gen_require(`
+ type mysqld_var_run_t;
+ ')
+
+ create_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
+')
+
########################################
## <summary>
## All of the rules required to administrate an mysql environment
--
1.7.8.6