From: dominick.grift@gmail.com (Dominick Grift)
Date: Tue, 07 Aug 2012 20:04:23 +0200
Subject: [refpolicy] [PATCH v2 2/2] Allow init scripts to create
 /run/mysqld and /run/dbus
In-Reply-To: <CAPzO=NxwHZh-Xz_11oXvyBeqOQuSLVp0ePbyf-CTs6=g1DEQoQ@mail.gmail.com>
References: <1343756789-16068-1-git-send-email-sven.vermeulen@siphos.be>
	<1343756789-16068-3-git-send-email-sven.vermeulen@siphos.be>
	<50214E74.9090702@tresys.com>
	<CAPzO=NzHSWp+t7dryOxajU0gxfLw6GCS7ev1eX=HB1EPXsWK4A@mail.gmail.com>
	<5021537E.9030904@tresys.com>
	<CAPzO=NxwHZh-Xz_11oXvyBeqOQuSLVp0ePbyf-CTs6=g1DEQoQ@mail.gmail.com>
Message-ID: <1344362663.2306.9.camel@d30.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com



On Tue, 2012-08-07 at 19:59 +0200, Sven Vermeulen wrote:
> On Tue, Aug 7, 2012 at 7:42 PM, Christopher J. PeBenito
> <cpebenito@tresys.com> wrote:
> >> So if an init script, named init script, application domain or user
> >> does something like "mkdir /run/mysqld" then it automatically becomes
> >> mysqld_var_run_t.
> >
> > Well I wouldn't go with the above because its way too broad, unnecessarily gives
> > access to all domains, and breaks encapsulation.  But the idea might make more
> > sense if we create a daemon pid file concept and allow initrc_t to create all daemon
> > pid file dirs.  It would be similarly structured as your above examples.
> 
> I generally agree, but there are probably many "corner cases". I
> mentioned one for DHCP before (which needs it instead of initrc_t),
> another one is in the pipeline (tor, gentoo bug #429486). I imagine
> there are quite a few others as well.
> 
> However, the "corner cases" don't have the downside of having three
> different parties (initrc_t, var_run_t, <domain>_var_run_t) so can be
> more easily updated:
> files_pid_filetrans(tor_t, tor_var_run_t, dir, "tor") in tor.te
> (assuming this is what the bug is about, haven't seen it in detail
> yet).
> 
> I'll try with daemonpidfile and see how far we get.

About initrc_t creating all these objects on /run and other tmpfs.

I think we should make that conditional.

Reasons:

Not all systems use /run (older systems probably don't have run)
In systems with systemd, systemd-tmpfilesd takes care of creation of
this content.

Although the initrc_t domain is considered trusted anyways. So i am not
sure. Your input on this issue?

> Thanks for the feedback,
>   Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy