Due to the introduction of /run, many init scripts need to create the daemon run
dirs (such as /run/udev for the udev init script). To simplify this, we
introduce the "daemonrundir" attribute to which initrc_t has the necessary
create_dirs_perms granted.
Changes since v3
----------------
- Add in setattr rights towards the daemonrundir types for initrc_t
- Add in a couple of more identified domains that need this
- Remove deprecation of previous functions, they are not used anymore, but not
deprecated. The referred alternative (init_daemon_run_dir) is only when the
methods were called for initrc_t.
Due to the introduction of /run, many init scripts need to create the daemon run
dirs (such as /run/udev for the udev init script). To simplify this, we
introduce the "daemonrundir" attribute to which initrc_t has the necessary
create_dirs_perms granted. Because it often needs to change the attributes or
ownership of the directories as well, we also grant the setattr rights on the
directory.
Then, when needed, the modules can call this interface while adding the name of
the directory. This will trigger a named file transition when initrc_t creates
this directory:
init_daemon_run_dir(udev_var_run_t, "udev")
will trigger
files_pid_filetrans(initrc_t, udev_var_run_t, dir, "udev")
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/init.if | 27 +++++++++++++++++++++++++++
policy/modules/system/init.te | 6 ++++++
2 files changed, 33 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index d26fe81..3f0c2d3 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -417,6 +417,33 @@ interface(`init_ranged_system_domain',`
########################################
## <summary>
+## Mark the file type as a daemon run dir, allowing initrc_t
+## to create it
+## </summary>
+## <param name="filetype">
+## <summary>
+## Type to mark as a daemon run dir
+## </summary>
+## </param>
+## <param name="filename">
+## <summary>
+## Filename of the directory that the init script creates
+## </summary>
+## </param>
+#
+interface(`init_daemon_run_dir',`
+ gen_require(`
+ attribute daemonrundir;
+ type initrc_t;
+ ')
+
+ typeattribute $1 daemonrundir;
+
+ files_pid_filetrans(initrc_t, $1, dir, $2)
+')
+
+########################################
+## <summary>
## Execute init (/sbin/init) with a domain transition.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index f3c70ff..933f846 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -29,6 +29,9 @@ attribute init_run_all_scripts_domain;
# Mark process types as daemons
attribute daemon;
+# Mark file type as a daemon run directory
+attribute daemonrundir;
+
#
# init_t is the domain of the init process.
#
@@ -242,6 +245,9 @@ init_telinit(initrc_t)
can_exec(initrc_t, init_script_file_type)
+create_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
+setattr_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
+
domtrans_pattern(init_run_all_scripts_domain, initrc_exec_t, initrc_t)
manage_dirs_pattern(initrc_t, initrc_state_t, initrc_state_t)
--
1.7.8.6
Use the init_daemon_run_dir interface in order to allow initrc_t to create the
run dirs of the udev daemon with the proper file transition.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/init.te | 1 -
policy/modules/system/udev.te | 1 +
2 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 933f846..e57cff9 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -835,7 +835,6 @@ optional_policy(`
optional_policy(`
udev_rw_db(initrc_t)
- udev_generic_pid_filetrans_run_dirs(initrc_t, "udev")
udev_manage_pid_files(initrc_t)
udev_manage_pid_dirs(initrc_t)
udev_manage_rules_files(initrc_t)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index ee6b046..41459ec 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -25,6 +25,7 @@ files_type(udev_rules_t)
type udev_var_run_t;
files_pid_file(udev_var_run_t)
+init_daemon_run_dir(udev_var_run_t, "udev")
ifdef(`enable_mcs',`
kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
--
1.7.8.6
Use the init_daemon_run_dir interface in order to allow initrc_t to create the
run dirs of the postgresql service.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/services/postgresql.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 4318f73..b49c929 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -63,6 +63,7 @@ files_tmp_file(postgresql_tmp_t)
type postgresql_var_run_t;
files_pid_file(postgresql_var_run_t)
+init_daemon_run_dir(postgresql_var_run_t, "postgresql")
# database clients attribute
attribute sepgsql_admin_type;
--
1.7.8.6
Use the init_daemon_run_dir interface in order to allow initrc_t to create the
run dirs of the asterisk, consolekit, dbus, mysql, nscd and tor services.
Signed-off-by: Sven Vermeulen <[email protected]>
---
asterisk.te | 1 +
consolekit.te | 1 +
dbus.te | 1 +
mysql.te | 1 +
nscd.te | 1 +
tor.te | 1 +
6 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/asterisk.te b/asterisk.te
index 159610b..9907175 100644
--- a/asterisk.te
+++ b/asterisk.te
@@ -33,6 +33,7 @@ files_type(asterisk_var_lib_t)
type asterisk_var_run_t;
files_pid_file(asterisk_var_run_t)
+init_daemon_run_dir(asterisk_var_run_t, "asterisk")
########################################
#
diff --git a/consolekit.te b/consolekit.te
index 6f2896d..516328a 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -14,6 +14,7 @@ logging_log_file(consolekit_log_t)
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
+init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit")
########################################
#
diff --git a/dbus.te b/dbus.te
index 625cb32..05f2b89 100644
--- a/dbus.te
+++ b/dbus.te
@@ -35,6 +35,7 @@ files_type(system_dbusd_var_lib_t)
type system_dbusd_var_run_t;
files_pid_file(system_dbusd_var_run_t)
+init_daemon_run_dir(system_dbusd_var_run_t, "dbus")
ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
diff --git a/mysql.te b/mysql.te
index 1cf05a3..d4206c9 100644
--- a/mysql.te
+++ b/mysql.te
@@ -22,6 +22,7 @@ init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t)
type mysqld_var_run_t;
files_pid_file(mysqld_var_run_t)
+init_daemon_run_dir(mysqld_var_run_t, "mysqld")
type mysqld_db_t;
files_type(mysqld_db_t)
diff --git a/nscd.te b/nscd.te
index 7936e09..de5fdc1 100644
--- a/nscd.te
+++ b/nscd.te
@@ -13,6 +13,7 @@ gen_require(`
# ordering problem with loadable modules
type nscd_var_run_t;
files_pid_file(nscd_var_run_t)
+init_daemon_run_dir(nscd_var_run_t, "nscd")
# nscd is both the client program and the daemon.
type nscd_t;
diff --git a/tor.te b/tor.te
index c842cad..8cdfd7b 100644
--- a/tor.te
+++ b/tor.te
@@ -35,6 +35,7 @@ logging_log_file(tor_var_log_t)
# pid files
type tor_var_run_t;
files_pid_file(tor_var_run_t)
+init_daemon_run_dir(tor_var_run_t, "tor")
########################################
#
--
1.7.8.6
On 25/08/2012 20:26, Sven Vermeulen wrote:
> Use the init_daemon_run_dir interface in order to allow initrc_t to create the
> run dirs of the asterisk, consolekit, dbus, mysql, nscd and tor services.
I think this patch is aligned differently than the previous 3 of the set
because it has been probably created without the -p1 option.
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> asterisk.te | 1 +
> consolekit.te | 1 +
> dbus.te | 1 +
> mysql.te | 1 +
> nscd.te | 1 +
> tor.te | 1 +
> 6 files changed, 6 insertions(+), 0 deletions(-)
[cut]
Regards,
Guido
No, it is a git patch from the contrib submodule.
On Aug 26, 2012 12:47 AM, "Guido Trentalancia" <[email protected]>
wrote:
> On 25/08/2012 20:26, Sven Vermeulen wrote:
>
>> Use the init_daemon_run_dir interface in order to allow initrc_t to
>> create the
>> run dirs of the asterisk, consolekit, dbus, mysql, nscd and tor services.
>>
>
> I think this patch is aligned differently than the previous 3 of the set
> because it has been probably created without the -p1 option.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
>> ---
>> asterisk.te | 1 +
>> consolekit.te | 1 +
>> dbus.te | 1 +
>> mysql.te | 1 +
>> nscd.te | 1 +
>> tor.te | 1 +
>> 6 files changed, 6 insertions(+), 0 deletions(-)
>>
>
> [cut]
>
> Regards,
>
> Guido
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20120826/d09e8350/attachment.html
On 08/25/12 14:24, Sven Vermeulen wrote:
> Due to the introduction of /run, many init scripts need to create the daemon run
> dirs (such as /run/udev for the udev init script). To simplify this, we
> introduce the "daemonrundir" attribute to which initrc_t has the necessary
> create_dirs_perms granted.
>
> Changes since v3
> ----------------
>
> - Add in setattr rights towards the daemonrundir types for initrc_t
> - Add in a couple of more identified domains that need this
> - Remove deprecation of previous functions, they are not used anymore, but not
> deprecated. The referred alternative (init_daemon_run_dir) is only when the
> methods were called for initrc_t.
This set merged. It think one minor additional tweak would have init_daemon_run_dir() to call files_pid_file() since the former is a subset of the latter.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com