From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Tue, 7 Aug 2012 19:35:44 +0200 Subject: [refpolicy] [PATCH v2 2/2] Allow init scripts to create /run/mysqld and /run/dbus In-Reply-To: <50214E74.9090702@tresys.com> References: <1343756789-16068-1-git-send-email-sven.vermeulen@siphos.be> <1343756789-16068-3-git-send-email-sven.vermeulen@siphos.be> <50214E74.9090702@tresys.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, Aug 7, 2012 at 7:20 PM, Christopher J. PeBenito wrote: > It seems that there would be a couple possibilities to think about. The first would be to > consider making init script domains for these services because their init scripts do so > much. The second would be to investigate the possibility of some set of interfaces > (probably reverse) so that we don't have to update init with all of the /run directory > creation rules. I have been thinking (and playing) with the interface idea too. However, it would go away from the current "domain-driven" interfaces (where almost all interfaces' first argument is the domain on which it has effect) which might seem awkward to use (and I haven't the faintest idea how to call the interface then). Something like "init_generic_run_init_create_run_dirs(mysqld_var_run_t, "mysqld")" which allows initrc_t to create the "mysqld" directory in var_run_t with an automatic type transition towards mysqld_var_run_t. Another idea I had was to transform the run directories, like so: """ type mysqld_var_run_t; files_pid_file(mysqld_var_run_t) files_dynamic_run_dir(mysqld_var_run_t, "mysqld") """ This would then just have automatic file transitions for /run. period: interface(`files_dynamic_run_dir',` gen_require(` type var_run_t; ') filetrans_pattern(domain, var_run_t, $1, dir, $2) ') So if an init script, named init script, application domain or user does something like "mkdir /run/mysqld" then it automatically becomes mysqld_var_run_t.