From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 19 Jul 2010 14:05:57 -0400 Subject: [refpolicy] Defining per-service initrc domains In-Reply-To: <1279054665.28691.227.camel@moss-pluto.epoch.ncsc.mil> References: <1279054665.28691.227.camel@moss-pluto.epoch.ncsc.mil> Message-ID: <4C449405.3010009@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 07/13/10 16:57, Stephen Smalley wrote: > Hi, > > We would like to be able to define a set of per-service initrc domains > for particular rc scripts. Although there seem to be a number of > per-service rc script file types (e.g. ftpd_initrc_exec_t), init_t still > transitions to the single initrc_t domain on all of those file types. > We want to instead launch the different rc scripts in distinct domains > from which we can then define per-service domain and file type > transitions as well as different permissions. > > At first I thought that the init_script_domain() interface might work > for this purpose, but that yields a transition to the single initrc_t > domain from init_t and unconfined_t and only transitions to the new > domain if we started from initrc_t. Is that intentional or a mistake? Init_script_domain() was written to provide exactly what you're looking for, but it isn't well tested. I added it at the same time Dan started labeling individual init scripts so that roles like webadm and dbadm can start/stop only the relevant services. > I presume it is happening as a result of rules on the type attributes > elsewhere outside of the interface itself. Probably. I also need to check to see if there are transitions from initrc_t to the other init script types. I think this is required since we get from init_t to initrc_t right away since /etc/rc.d/rc is in the inittab and its initrc_exec_t. > Is there any precedent for creating such per-service initrc domains? > And do we have any interfaces for doing so? Not upstream. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com