From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 7 Aug 2012 13:42:22 -0400 Subject: [refpolicy] [PATCH v2 2/2] Allow init scripts to create /run/mysqld and /run/dbus In-Reply-To: References: <1343756789-16068-1-git-send-email-sven.vermeulen@siphos.be> <1343756789-16068-3-git-send-email-sven.vermeulen@siphos.be> <50214E74.9090702@tresys.com> Message-ID: <5021537E.9030904@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/07/12 13:35, Sven Vermeulen wrote: > On Tue, Aug 7, 2012 at 7:20 PM, Christopher J. PeBenito > wrote: >> It seems that there would be a couple possibilities to think about. The first would be to >> consider making init script domains for these services because their init scripts do so >> much. The second would be to investigate the possibility of some set of interfaces >> (probably reverse) so that we don't have to update init with all of the /run directory >> creation rules. > > I have been thinking (and playing) with the interface idea too. > However, it would go away from the current "domain-driven" interfaces > (where almost all interfaces' first argument is the domain on which it > has effect) which might seem awkward to use (and I haven't the > faintest idea how to call the interface then). > > Something like "init_generic_run_init_create_run_dirs(mysqld_var_run_t, > "mysqld")" which allows initrc_t to create the "mysqld" directory in > var_run_t with an automatic type transition towards mysqld_var_run_t. > > Another idea I had was to transform the run directories, like so: > > """ > type mysqld_var_run_t; > files_pid_file(mysqld_var_run_t) > files_dynamic_run_dir(mysqld_var_run_t, "mysqld") > """ > > This would then just have automatic file transitions for /run. period: > > interface(`files_dynamic_run_dir',` > gen_require(` > type var_run_t; > ') > filetrans_pattern(domain, var_run_t, $1, dir, $2) > ') > > So if an init script, named init script, application domain or user > does something like "mkdir /run/mysqld" then it automatically becomes > mysqld_var_run_t. Well I wouldn't go with the above because its way too broad, unnecessarily gives access to all domains, and breaks encapsulation. But the idea might make more sense if we create a daemon pid file concept and allow initrc_t to create all daemon pid file dirs. It would be similarly structured as your above examples. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com