From: sds@tycho.nsa.gov (Stephen Smalley)
Date: Tue, 13 Jul 2010 16:57:45 -0400
Subject: [refpolicy] Defining per-service initrc domains
Message-ID: <1279054665.28691.227.camel@moss-pluto.epoch.ncsc.mil>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi,

We would like to be able to define a set of per-service initrc domains
for particular rc scripts.  Although there seem to be a number of
per-service rc script file types (e.g. ftpd_initrc_exec_t), init_t still
transitions to the single initrc_t domain on all of those file types.
We want to instead launch the different rc scripts in distinct domains
from which we can then define per-service domain and file type
transitions as well as different permissions.

At first I thought that the init_script_domain() interface might work
for this purpose, but that yields a transition to the single initrc_t
domain from init_t and unconfined_t and only transitions to the new
domain if we started from initrc_t.  Is that intentional or a mistake?
I presume it is happening as a result of rules on the type attributes
elsewhere outside of the interface itself.

Is there any precedent for creating such per-service initrc domains?
And do we have any interfaces for doing so?

-- 
Stephen Smalley
National Security Agency