From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Thu, 12 Jul 2012 21:24:42 +0200 Subject: [refpolicy] [PATCH v5 2/5] Supporting interfaces for the /run changes In-Reply-To: <1342121085-2765-1-git-send-email-sven.vermeulen@siphos.be> References: <1342121085-2765-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1342121085-2765-3-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Since most distributions now support /run (which, thanks the the file context substitutions, is marked as var_run_t), we need to update the SELinux policies to support "dynamically" building up /run. Unlike /var/run, which is most likely statically defined during distribution installation, /run is a tmpfs which is built up from scratch on each and every boot. But not only that, many services also use this location for other purposes than just PID files (which is to be expected as these "other reasons" is why /run came to be in the first place), so we need to support other types within this location easily. For this reason, we introduce support to - creating the /run/lock location - supporting named file transitions when init scripts create stuff in /run Signed-off-by: Sven Vermeulen --- policy/modules/kernel/files.if | 61 ++++++++++++++++++++++++++++++++++++++++ 1 files changed, 61 insertions(+), 0 deletions(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 41346fb..e951402 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -5608,6 +5608,26 @@ interface(`files_list_locks',` ######################################## ## +## Create lock directories +## +## +## +## Domain allowed access +## +## +# +interface(`files_create_lock_dirs',` + gen_require(` + type var_t, var_lock_t; + ') + + allow $1 var_t:dir search_dir_perms; + allow $1 var_lock_t:lnk_file read_lnk_file_perms; + create_dirs_pattern($1, var_lock_t, var_lock_t) +') + +######################################## +## ## Add and remove entries in the /var/lock ## directories. ## @@ -5628,6 +5648,24 @@ interface(`files_rw_lock_dirs',` ######################################## ## +## Set the attributes of the generic lock directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_setattr_lock_dirs',` + gen_require(` + type var_t, var_lock_t; + ') + + setattr_dirs_pattern($1, var_t, var_lock_t) +') + +######################################## +## ## Relabel to and from all lock directory types. ## ## @@ -6016,6 +6054,29 @@ interface(`files_pid_filetrans',` ######################################## ## +## Create a generic lock directory within the run directories +## +## +## +## Domain allowed access +## +## +## +## +## The name of the object being created. +## +## +# +interface(`files_pid_filetrans_lock_dir',` + gen_require(` + type var_lock_t; + ') + + files_pid_filetrans($1, var_lock_t, dir, $2) +') + +######################################## +## ## Read and write generic process ID files. ## ## -- 1.7.8.6