From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Fri, 10 Aug 2012 19:28:56 +0200 Subject: [refpolicy] [PATCH v2 2/2] Allow init scripts to create /run/mysqld and /run/dbus In-Reply-To: <5021537E.9030904@tresys.com> References: <1343756789-16068-1-git-send-email-sven.vermeulen@siphos.be> <1343756789-16068-3-git-send-email-sven.vermeulen@siphos.be> <50214E74.9090702@tresys.com> <5021537E.9030904@tresys.com> Message-ID: <20120810172855.GB13453@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, Aug 07, 2012 at 01:42:22PM -0400, Christopher J. PeBenito wrote: > > """ > > type mysqld_var_run_t; > > files_pid_file(mysqld_var_run_t) > > files_dynamic_run_dir(mysqld_var_run_t, "mysqld") > > """ > > > > This would then just have automatic file transitions for /run. period: > > > > interface(`files_dynamic_run_dir',` > > gen_require(` > > type var_run_t; > > ') > > filetrans_pattern(domain, var_run_t, $1, dir, $2) > > ') > > > > So if an init script, named init script, application domain or user > > does something like "mkdir /run/mysqld" then it automatically becomes > > mysqld_var_run_t. > > Well I wouldn't go with the above because its way too broad, unnecessarily > gives access to all domains, and breaks encapsulation. But the idea might > make more sense if we create a daemon pid file concept and allow initrc_t > to create all daemon pid file dirs. It would be similarly structured as > your above examples. So I've been thinking about this. Let's say we define an attribute called "daemonrundir" (or "daemonpidfile" [1]) and provide a transformation interface for that. In order to allow initrc_t to create these directories, we need to assign the name of the directory to use simultaneously with it. # $1 = rundir type, $2 = name of directory interface(`files_daemon_run_dir',` gen_require(` attribute daemonrundir; ') typeattribute $1 daemonrundir; init_generic_run_filetrans_specified_run_dir($1, $2) ') Another interface would allow creating directories of types that have the daemonrundir attribute set: # $1 = domain allowed access interface(`files_create_daemon_run_dir',` gen_require(` attribute daemonrundir; ') create_dirs_pattern($1, daemonrundir, daemonrundir) ') The final one is the "weird" one, for which I don't know a good naming convention for: # $1 = specified rundir type, $2 = name of the directory for which transition occurs interface(`init_generic_run_filetrans_specified_run_dir',` gen_require(` type initrc_t; ') files_pid_filetrans(initrc_t, $1, dir, $2) ') Is this about what you had in mind (or could go for)? It would mean we just need to do things like: diff --git a/tor.te b/tor.te index c842cad..6a0547a 100644 --- a/tor.te +++ b/tor.te @@ -35,6 +35,7 @@ logging_log_file(tor_var_log_t) # pid files type tor_var_run_t; files_pid_file(tor_var_run_t) +files_daemon_run_dir(tor_var_run_t, "tor") Another possibility would be to make it part of the files_pid_file() transformation (with an optional second parameter) but I don't think we can do stuff like the following, can we? ifdef(`$2',` # some additional statements if $2 is present ') Wkr, Sven Vermeulen [1] I am considering using "run" instead of "pid" for most purposes since PID files are nowadays the minority of stuff that is labeled with *_var_run_t.