From: pjnuzzi@tycho.ncsc.mil (Paul Nuzzi)
Date: Thu, 09 Dec 2010 17:10:35 -0500
Subject: [refpolicy] Defining per-service initrc domains
In-Reply-To: <1291924177.30609.17.camel@moss-pluto>
References: <1279054665.28691.227.camel@moss-pluto.epoch.ncsc.mil>	<06A6610D4F464D4EBEAFBF2C5F86911E0265270F@exchange2.columbia.tresys.com>
	<1291924177.30609.17.camel@moss-pluto>
Message-ID: <4D0153DB.5000501@tycho.ncsc.mil>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/09/2010 02:49 PM, Stephen Smalley wrote:
> On Tue, 2010-12-07 at 11:20 -0500, Jeremy Solt wrote:
>> Hi Stephen,
>>
>> I know it's been a while, but were you able to get this working
>> correctly? If not, I need some clarification. Were you trying to go from
>> init_t directly to ftpd_initrc_t over ftpd_initrc_exec_t (skipping
>> initrc_t completely)? Or just init_t -> initrc_t -> ftpd_initrc_t ->
>> ftpd_t ?
>>
>> I ran some tests on init_script_domain(). On a Fedora 13 system, I
>> tested this out with qpidd and saw the following transitions:
>> init_t -> initrc_t -> qpidd_initrc_t -> qpidd_t
>>
>> On a RHEL 5 system, I installed reference policy (to make sure the
>> problem hadn't been fixed by Dan in Fedora's patches) and tried this
>> with the ntp daemon. My transitions:
>> init_t -> initrc_t ->ntpd_initrc_t -> ntpd_t
>>
>> Is this the path you were looking for or am I misunderstanding the
>> problem? 
> 
> That sounds right, but it didn't seem to work for us.  We were trying it
> for the hadoop policy that has subsequently been merged, in order to get
> the hadoop daemons into the right domains.
> 

We were having an issue where five different domains were being started with the same executable (hadoop_exec_t).  If I remember correctly, init_script_domain or init_daemon_domain wasn't allowing us to have multiple domain entries for one executable.  init_script_domain(hadoop_$1_initrc_t, hadoop_$1_initrc_exec_t) seemed to solve the problem.