Due to the introduction of /run, many init scripts need to create the daemon run
dirs (such as /run/udev for the udev init script). To simplify this, we
introduce the "daemonrundir" attribute to which initrc_t has the necessary
create_dirs_perms granted.
Changes since v2
----------------
- Complete rewrite based on feedback from mailinglist
Due to the introduction of /run, many init scripts need to create the daemon run
dirs (such as /run/udev for the udev init script). To simplify this, we
introduce the "daemonrundir" attribute to which initrc_t has the necessary
create_dirs_perms granted.
Then, when needed, the modules can call this interface while adding the name of
the directory. This will trigger a named file transition when initrc_t creates
this directory:
init_daemon_run_dir(udev_var_run_t, "udev")
will trigger
files_pid_filetrans(initrc_t, udev_var_run_t, dir, "udev")
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/init.if | 27 +++++++++++++++++++++++++++
policy/modules/system/init.te | 5 +++++
2 files changed, 32 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index d26fe81..0cce693 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -417,6 +417,33 @@ interface(`init_ranged_system_domain',`
########################################
## <summary>
+## Mark the file type as a daemon run dir, allowing
+## initrc_t to create it
+## </summary>
+## <param name="filetype">
+## <summary>
+## Type to mark as a daemon run dir
+## </summary>
+## </param>
+## <param name="filename">
+## <summary>
+## Filename of the directory that the init script creates
+## </summary>
+## </param>
+#
+interface(`init_daemon_run_dir',`
+ gen_require(`
+ attribute daemonrundir;
+ type initrc_t;
+ ')
+
+ typeattribute $1 daemonrundir;
+
+ files_pid_filetrans(initrc_t, $1, dir, $2)
+')
+
+########################################
+## <summary>
## Execute init (/sbin/init) with a domain transition.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 4a88fa1..bf167d5 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -29,6 +29,9 @@ attribute init_run_all_scripts_domain;
# Mark process types as daemons
attribute daemon;
+# Mark file type as a daemon run directory
+attribute daemonrundir;
+
#
# init_t is the domain of the init process.
#
@@ -242,6 +245,8 @@ init_telinit(initrc_t)
can_exec(initrc_t, init_script_file_type)
+create_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
+
domtrans_pattern(init_run_all_scripts_domain, initrc_exec_t, initrc_t)
manage_dirs_pattern(initrc_t, initrc_state_t, initrc_state_t)
--
1.7.8.6
Use the init_daemon_run_dir interface in order to allow initrc_t to create the
run dirs of the udev daemon with the proper file transition.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/init.te | 1 -
policy/modules/system/udev.if | 9 +++------
policy/modules/system/udev.te | 1 +
3 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index bf167d5..eb236c3 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -834,7 +834,6 @@ optional_policy(`
optional_policy(`
udev_rw_db(initrc_t)
- udev_generic_pid_filetrans_run_dirs(initrc_t, "udev")
udev_manage_pid_files(initrc_t)
udev_manage_pid_dirs(initrc_t)
udev_manage_rules_files(initrc_t)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 77a13a5..951fd25 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -263,7 +263,8 @@ interface(`udev_manage_pid_dirs',`
########################################
## <summary>
-## Create directories in the run location with udev_var_run_t type
+## Create directories in the run location with udev_var_run_t type.
+## This method is deprecated in favor of the init_daemon_run_dir interface.
## </summary>
## <param name="domain">
## <summary>
@@ -277,11 +278,7 @@ interface(`udev_manage_pid_dirs',`
## </param>
#
interface(`udev_generic_pid_filetrans_run_dirs',`
- gen_require(`
- type udev_var_run_t;
- ')
-
- files_pid_filetrans($1, udev_var_run_t, dir, $2)
+ refpolicywarn(`$0($*) has been deprecated, please use init_daemon_run_dir instead.')
')
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index ee6b046..41459ec 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -25,6 +25,7 @@ files_type(udev_rules_t)
type udev_var_run_t;
files_pid_file(udev_var_run_t)
+init_daemon_run_dir(udev_var_run_t, "udev")
ifdef(`enable_mcs',`
kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
--
1.7.8.6
Use the init_daemon_run_dir interface in order to allow initrc_t to create the
run dirs of the dbus, mysqld and tor daemons with the proper file transitions.
Signed-off-by: Sven Vermeulen <[email protected]>
---
dbus.te | 1 +
mysql.te | 1 +
tor.te | 1 +
3 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/dbus.te b/dbus.te
index 625cb32..05f2b89 100644
--- a/dbus.te
+++ b/dbus.te
@@ -35,6 +35,7 @@ files_type(system_dbusd_var_lib_t)
type system_dbusd_var_run_t;
files_pid_file(system_dbusd_var_run_t)
+init_daemon_run_dir(system_dbusd_var_run_t, "dbus")
ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
diff --git a/mysql.te b/mysql.te
index 1cf05a3..d4206c9 100644
--- a/mysql.te
+++ b/mysql.te
@@ -22,6 +22,7 @@ init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t)
type mysqld_var_run_t;
files_pid_file(mysqld_var_run_t)
+init_daemon_run_dir(mysqld_var_run_t, "mysqld")
type mysqld_db_t;
files_type(mysqld_db_t)
diff --git a/tor.te b/tor.te
index c842cad..8cdfd7b 100644
--- a/tor.te
+++ b/tor.te
@@ -35,6 +35,7 @@ logging_log_file(tor_var_log_t)
# pid files
type tor_var_run_t;
files_pid_file(tor_var_run_t)
+init_daemon_run_dir(tor_var_run_t, "tor")
########################################
#
--
1.7.8.6
On Tue, Aug 14, 2012 at 07:28:17PM +0200, Sven Vermeulen wrote:
> Due to the introduction of /run, many init scripts need to create the daemon run
> dirs (such as /run/udev for the udev init script). To simplify this, we
> introduce the "daemonrundir" attribute to which initrc_t has the necessary
> create_dirs_perms granted.
[...]
> @@ -242,6 +245,8 @@ init_telinit(initrc_t)
>
> can_exec(initrc_t, init_script_file_type)
>
> +create_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
> +
> domtrans_pattern(init_run_all_scripts_domain, initrc_exec_t, initrc_t)
>
> manage_dirs_pattern(initrc_t, initrc_state_t, initrc_state_t)
I seem to have a few cases where the init script is also responsible for
changing the ownership of the directories (actually every time the service
itself doesn't run as root), which would need the following added as well:
setattr_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
(or the allow-rule).
Does it make sense to add it here as well (so allow this generally)? If not,
I'd need to enhance the initrc_t domain with all the necessary
*_setattr_run_dir interface calls anyhow.
Wkr,
Sven Vermeulen
On 08/16/12 07:25, Sven Vermeulen wrote:
> On Tue, Aug 14, 2012 at 07:28:17PM +0200, Sven Vermeulen wrote:
>> Due to the introduction of /run, many init scripts need to create the daemon run
>> dirs (such as /run/udev for the udev init script). To simplify this, we
>> introduce the "daemonrundir" attribute to which initrc_t has the necessary
>> create_dirs_perms granted.
> [...]
>> @@ -242,6 +245,8 @@ init_telinit(initrc_t)
>>
>> can_exec(initrc_t, init_script_file_type)
>>
>> +create_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
>> +
>> domtrans_pattern(init_run_all_scripts_domain, initrc_exec_t, initrc_t)
>>
>> manage_dirs_pattern(initrc_t, initrc_state_t, initrc_state_t)
>
> I seem to have a few cases where the init script is also responsible for
> changing the ownership of the directories (actually every time the service
> itself doesn't run as root), which would need the following added as well:
>
> setattr_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
>
> (or the allow-rule).
>
> Does it make sense to add it here as well (so allow this generally)? If not,
> I'd need to enhance the initrc_t domain with all the necessary
> *_setattr_run_dir interface calls anyhow.
I'm ok with adding this.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com