From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 7 Aug 2012 14:28:22 -0400
Subject: [refpolicy] [PATCH v2 2/2] Allow init scripts to create
 /run/mysqld and /run/dbus
In-Reply-To: <1344362663.2306.9.camel@d30.localdomain>
References: <1343756789-16068-1-git-send-email-sven.vermeulen@siphos.be>
	<1343756789-16068-3-git-send-email-sven.vermeulen@siphos.be>
	<50214E74.9090702@tresys.com>
	<CAPzO=NzHSWp+t7dryOxajU0gxfLw6GCS7ev1eX=HB1EPXsWK4A@mail.gmail.com>
	<5021537E.9030904@tresys.com>
	<CAPzO=NxwHZh-Xz_11oXvyBeqOQuSLVp0ePbyf-CTs6=g1DEQoQ@mail.gmail.com>
	<1344362663.2306.9.camel@d30.localdomain>
Message-ID: <50215E46.5020507@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/07/12 14:04, Dominick Grift wrote:
> On Tue, 2012-08-07 at 19:59 +0200, Sven Vermeulen wrote:
>> On Tue, Aug 7, 2012 at 7:42 PM, Christopher J. PeBenito
>> <cpebenito@tresys.com> wrote:
>>>> So if an init script, named init script, application domain or user
>>>> does something like "mkdir /run/mysqld" then it automatically becomes
>>>> mysqld_var_run_t.
>>>
>>> Well I wouldn't go with the above because its way too broad, unnecessarily gives
>>> access to all domains, and breaks encapsulation.  But the idea might make more
>>> sense if we create a daemon pid file concept and allow initrc_t to create all daemon
>>> pid file dirs.  It would be similarly structured as your above examples.
>>
>> I generally agree, but there are probably many "corner cases". I
>> mentioned one for DHCP before (which needs it instead of initrc_t),
>> another one is in the pipeline (tor, gentoo bug #429486). I imagine
>> there are quite a few others as well.
>>
>> However, the "corner cases" don't have the downside of having three
>> different parties (initrc_t, var_run_t, <domain>_var_run_t) so can be
>> more easily updated:
>> files_pid_filetrans(tor_t, tor_var_run_t, dir, "tor") in tor.te
>> (assuming this is what the bug is about, haven't seen it in detail
>> yet).
>>
>> I'll try with daemonpidfile and see how far we get.
> 
> About initrc_t creating all these objects on /run and other tmpfs.
> 
> I think we should make that conditional.
> 
> Reasons:
> 
> Not all systems use /run (older systems probably don't have run)
> In systems with systemd, systemd-tmpfilesd takes care of creation of
> this content.
> 
> Although the initrc_t domain is considered trusted anyways. So i am not
> sure. Your input on this issue?

Its a valid point, but my current feeling is that its ok.  Just as you say, initrc_t is trusted.  If it is doing bad things, the system is in bad shape and extra directory creation perms in (/var)?/run is the least of your concerns.  If its a concern, we could always move to init script domains (eg httpd_initrc_t).  Thats a significant effort, but it would separate out a bunch of initrc_t's permissions.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com