From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 7 Aug 2012 13:20:52 -0400 Subject: [refpolicy] [PATCH v2 2/2] Allow init scripts to create /run/mysqld and /run/dbus In-Reply-To: <1343756789-16068-3-git-send-email-sven.vermeulen@siphos.be> References: <1343756789-16068-1-git-send-email-sven.vermeulen@siphos.be> <1343756789-16068-3-git-send-email-sven.vermeulen@siphos.be> Message-ID: <50214E74.9090702@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 07/31/12 13:46, Sven Vermeulen wrote: > Allow the init scripts to create /run/mysqld and /run/dbus with the proper file > transition in place > > Signed-off-by: Sven Vermeulen > --- > policy/modules/system/init.te | 7 ++++++- > 1 files changed, 6 insertions(+), 1 deletions(-) > > diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te > index 6ae70ea..e389323 100644 > --- a/policy/modules/system/init.te > +++ b/policy/modules/system/init.te > @@ -626,6 +626,8 @@ optional_policy(` > > optional_policy(` > dbus_connect_system_bus(initrc_t) > + dbus_create_system_dbusd_run_dirs(initrc_t) > + dbus_generic_pid_filetrans_system_dbusd_run(initrc_t, dir, "dbus") > dbus_system_bus_client(initrc_t) > dbus_read_config(initrc_t) > > @@ -738,9 +740,12 @@ optional_policy(` > mysql_manage_db_dirs(initrc_t) > ') > > + mysql_create_run_dirs(initrc_t) > + mysql_generic_run_filetrans_pid(initrc_t, dir, "mysqld") > + mysql_read_config(initrc_t) > + mysql_setattr_run_dirs(initrc_t) > mysql_stream_connect(initrc_t) > mysql_write_log(initrc_t) > - mysql_read_config(initrc_t) It seems that there would be a couple possibilities to think about. The first would be to consider making init script domains for these services because their init scripts do so much. The second would be to investigate the possibility of some set of interfaces (probably reverse) so that we don't have to update init with all of the /run directory creation rules. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com