From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Tue, 7 Aug 2012 19:59:25 +0200
Subject: [refpolicy] [PATCH v2 2/2] Allow init scripts to create
 /run/mysqld and /run/dbus
In-Reply-To: <5021537E.9030904@tresys.com>
References: <1343756789-16068-1-git-send-email-sven.vermeulen@siphos.be>
	<1343756789-16068-3-git-send-email-sven.vermeulen@siphos.be>
	<50214E74.9090702@tresys.com>
	<CAPzO=NzHSWp+t7dryOxajU0gxfLw6GCS7ev1eX=HB1EPXsWK4A@mail.gmail.com>
	<5021537E.9030904@tresys.com>
Message-ID: <CAPzO=NxwHZh-Xz_11oXvyBeqOQuSLVp0ePbyf-CTs6=g1DEQoQ@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, Aug 7, 2012 at 7:42 PM, Christopher J. PeBenito
<cpebenito@tresys.com> wrote:
>> So if an init script, named init script, application domain or user
>> does something like "mkdir /run/mysqld" then it automatically becomes
>> mysqld_var_run_t.
>
> Well I wouldn't go with the above because its way too broad, unnecessarily gives
> access to all domains, and breaks encapsulation.  But the idea might make more
> sense if we create a daemon pid file concept and allow initrc_t to create all daemon
> pid file dirs.  It would be similarly structured as your above examples.

I generally agree, but there are probably many "corner cases". I
mentioned one for DHCP before (which needs it instead of initrc_t),
another one is in the pipeline (tor, gentoo bug #429486). I imagine
there are quite a few others as well.

However, the "corner cases" don't have the downside of having three
different parties (initrc_t, var_run_t, <domain>_var_run_t) so can be
more easily updated:
files_pid_filetrans(tor_t, tor_var_run_t, dir, "tor") in tor.te
(assuming this is what the bug is about, haven't seen it in detail
yet).

I'll try with daemonpidfile and see how far we get.

Thanks for the feedback,
  Sven Vermeulen