From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 19 Jul 2010 14:05:57 -0400
Subject: [refpolicy] Defining per-service initrc domains
In-Reply-To: <1279054665.28691.227.camel@moss-pluto.epoch.ncsc.mil>
References: <1279054665.28691.227.camel@moss-pluto.epoch.ncsc.mil>
Message-ID: <4C449405.3010009@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 07/13/10 16:57, Stephen Smalley wrote:
> Hi,
>
> We would like to be able to define a set of per-service initrc domains
> for particular rc scripts.  Although there seem to be a number of
> per-service rc script file types (e.g. ftpd_initrc_exec_t), init_t still
> transitions to the single initrc_t domain on all of those file types.
> We want to instead launch the different rc scripts in distinct domains
> from which we can then define per-service domain and file type
> transitions as well as different permissions.
>
> At first I thought that the init_script_domain() interface might work
> for this purpose, but that yields a transition to the single initrc_t
> domain from init_t and unconfined_t and only transitions to the new
> domain if we started from initrc_t.  Is that intentional or a mistake?

Init_script_domain() was written to provide exactly what you're looking 
for, but it isn't well tested.  I added it at the same time Dan started 
labeling individual init scripts so that roles like webadm and dbadm can 
start/stop only the relevant services.

> I presume it is happening as a result of rules on the type attributes
> elsewhere outside of the interface itself.

Probably.  I also need to check to see if there are transitions from 
initrc_t to the other init script types.  I think this is required since 
we get from init_t to initrc_t right away since /etc/rc.d/rc is in the 
inittab and its initrc_exec_t.

> Is there any precedent for creating such per-service initrc domains?
> And do we have any interfaces for doing so?

Not upstream.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com