From: jsolt@tresys.com (Jeremy Solt) Date: Tue, 7 Dec 2010 11:20:02 -0500 Subject: [refpolicy] Defining per-service initrc domains In-Reply-To: <1279054665.28691.227.camel@moss-pluto.epoch.ncsc.mil> References: <1279054665.28691.227.camel@moss-pluto.epoch.ncsc.mil> Message-ID: <06A6610D4F464D4EBEAFBF2C5F86911E0265270F@exchange2.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com > -----Original Message----- > From: refpolicy-bounces at oss.tresys.com > [mailto:refpolicy-bounces at oss.tresys.com] On Behalf Of Stephen Smalley > Sent: Tuesday, July 13, 2010 4:58 PM > To: refpolicy at oss1.tresys.com > Subject: [refpolicy] Defining per-service initrc domains > > Hi, > > We would like to be able to define a set of per-service > initrc domains for particular rc scripts. Although there > seem to be a number of per-service rc script file types (e.g. > ftpd_initrc_exec_t), init_t still transitions to the single > initrc_t domain on all of those file types. > We want to instead launch the different rc scripts in > distinct domains from which we can then define per-service > domain and file type transitions as well as different permissions. > > At first I thought that the init_script_domain() interface > might work for this purpose, but that yields a transition to > the single initrc_t domain from init_t and unconfined_t and > only transitions to the new domain if we started from > initrc_t. Is that intentional or a mistake? > I presume it is happening as a result of rules on the type > attributes elsewhere outside of the interface itself. > > Is there any precedent for creating such per-service initrc domains? > And do we have any interfaces for doing so? > > -- > Stephen Smalley > National Security Agency Hi Stephen, I know it's been a while, but were you able to get this working correctly? If not, I need some clarification. Were you trying to go from init_t directly to ftpd_initrc_t over ftpd_initrc_exec_t (skipping initrc_t completely)? Or just init_t -> initrc_t -> ftpd_initrc_t -> ftpd_t ? I ran some tests on init_script_domain(). On a Fedora 13 system, I tested this out with qpidd and saw the following transitions: init_t -> initrc_t -> qpidd_initrc_t -> qpidd_t On a RHEL 5 system, I installed reference policy (to make sure the problem hadn't been fixed by Dan in Fedora's patches) and tried this with the ntp daemon. My transitions: init_t -> initrc_t ->ntpd_initrc_t -> ntpd_t Is this the path you were looking for or am I misunderstanding the problem? Jeremy Solt Tresys Technology jsolt at tresys.com | www.tresys.com