For some daemons, it is the init script that is responsible for creating
the PID file of the daemon. As we do not want to update the init SELinux
policy module for each of these situations, we need to introduce an
interface that can be called by the SELinux policy module of the caller
(the daemon domain).
The initial suggestion was to transform the init_daemon_run_dir
interface, which offers a similar approach for directories in /run, into
a class-agnostic interface. Several names have been suggested, such as
init_script_spec_run_content or init_script_generic_run_filetrans_spec,
but in the end init_daemon_pid_file was used.
Now the question remains if we use a single interface or stick with two.
In other words, do we want something like this:
init_daemon_pid_file(xdm_var_run_t, dir, "xdm")
init_daemon_pid_file(postgresql_var_run_t, file, "postgresql.pid")
or does it make more sense to keep the classes in the name (as the names
already imply), like so:
init_daemon_run_dir(xdm_var_run_t, "xdm")
init_daemon_pid_file(postgresql_var_run_t, "postgresql.pid")
This patch choses the latter. If not, I can easily update it to use the
other approach, and deprecate init_daemon_run_dir in favor of
init_daemon_pid_file.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/init.if | 28 ++++++++++++++++++++++++++++
policy/modules/system/init.te | 4 ++++
2 files changed, 32 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 4c66daf..c6bc949 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -412,6 +412,34 @@ interface(`init_ranged_system_domain',`
########################################
## <summary>
+## Mark the file type as a daemon pd file, allowing initrc_t
+## to create it
+## </summary>
+## <param name="filetype">
+## <summary>
+## Type to mark as a daemon pid file
+## </summary>
+## </param>
+## <param name="filename">
+## <summary>
+## Filename of the file that the init script creates
+## </summary>
+## </param>
+#
+interface(`init_daemon_pid_file',`
+ gen_require(`
+ attribute daemonpidfile;
+ type initrc_t;
+ ')
+
+ typeattribute $1 daemonpidfile;
+
+ files_pid_file($1)
+ files_pid_filetrans(initrc_t, $1, file, $2)
+')
+
+########################################
+## <summary>
## Mark the file type as a daemon run dir, allowing initrc_t
## to create it
## </summary>
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index b45b540..84a3b75 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -23,6 +23,8 @@ attribute init_run_all_scripts_domain;
# Mark process types as daemons
attribute daemon;
+# Mark file type as a daemon pid file
+attribute daemonpidfile;
# Mark file type as a daemon run directory
attribute daemonrundir;
@@ -247,6 +249,8 @@ init_telinit(initrc_t)
can_exec(initrc_t, init_script_file_type)
+manage_files_pattern(initrc_t, daemonpidfile, daemonpidfile)
+
create_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
setattr_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
--
1.8.5.5
On 05/29/2014 01:23 PM, Sven Vermeulen wrote:
> For some daemons, it is the init script that is responsible for creating
> the PID file of the daemon. As we do not want to update the init SELinux
> policy module for each of these situations, we need to introduce an
> interface that can be called by the SELinux policy module of the caller
> (the daemon domain).
>
> The initial suggestion was to transform the init_daemon_run_dir
> interface, which offers a similar approach for directories in /run, into
> a class-agnostic interface. Several names have been suggested, such as
> init_script_spec_run_content or init_script_generic_run_filetrans_spec,
> but in the end init_daemon_pid_file was used.
>
> Now the question remains if we use a single interface or stick with two.
> In other words, do we want something like this:
>
> init_daemon_pid_file(xdm_var_run_t, dir, "xdm")
> init_daemon_pid_file(postgresql_var_run_t, file, "postgresql.pid")
>
> or does it make more sense to keep the classes in the name (as the names
> already imply), like so:
>
> init_daemon_run_dir(xdm_var_run_t, "xdm")
> init_daemon_pid_file(postgresql_var_run_t, "postgresql.pid")
>
> This patch choses the latter. If not, I can easily update it to use the
> other approach, and deprecate init_daemon_run_dir in favor of
> init_daemon_pid_file.
I think we probably want the first one. Then we wouldn't run in to problems in the future when we run across an init script, for example, that wants to create a symlink or pipe, etc.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com