From: sds@tycho.nsa.gov (Stephen Smalley)
Date: Thu, 09 Dec 2010 14:49:37 -0500
Subject: [refpolicy] Defining per-service initrc domains
In-Reply-To: <06A6610D4F464D4EBEAFBF2C5F86911E0265270F@exchange2.columbia.tresys.com>
References: <1279054665.28691.227.camel@moss-pluto.epoch.ncsc.mil>
	<06A6610D4F464D4EBEAFBF2C5F86911E0265270F@exchange2.columbia.tresys.com>
Message-ID: <1291924177.30609.17.camel@moss-pluto>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, 2010-12-07 at 11:20 -0500, Jeremy Solt wrote:
> Hi Stephen,
> 
> I know it's been a while, but were you able to get this working
> correctly? If not, I need some clarification. Were you trying to go from
> init_t directly to ftpd_initrc_t over ftpd_initrc_exec_t (skipping
> initrc_t completely)? Or just init_t -> initrc_t -> ftpd_initrc_t ->
> ftpd_t ?
> 
> I ran some tests on init_script_domain(). On a Fedora 13 system, I
> tested this out with qpidd and saw the following transitions:
> init_t -> initrc_t -> qpidd_initrc_t -> qpidd_t
> 
> On a RHEL 5 system, I installed reference policy (to make sure the
> problem hadn't been fixed by Dan in Fedora's patches) and tried this
> with the ntp daemon. My transitions:
> init_t -> initrc_t ->ntpd_initrc_t -> ntpd_t
> 
> Is this the path you were looking for or am I misunderstanding the
> problem? 

That sounds right, but it didn't seem to work for us.  We were trying it
for the hadoop policy that has subsequently been merged, in order to get
the hadoop daemons into the right domains.

-- 
Stephen Smalley
National Security Agency