From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Tue, 14 Aug 2012 19:28:17 +0200
Subject: [refpolicy] [PATCH v3 1/3] Introduce init_daemon_run_dir
	transformation
In-Reply-To: <20120814172720.GA10055@siphos.be>
References: <20120814172720.GA10055@siphos.be>
Message-ID: <20120814172817.GB10055@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Due to the introduction of /run, many init scripts need to create the daemon run
dirs (such as /run/udev for the udev init script). To simplify this, we
introduce the "daemonrundir" attribute to which initrc_t has the necessary
create_dirs_perms granted.

Then, when needed, the modules can call this interface while adding the name of
the directory. This will trigger a named file transition when initrc_t creates
this directory:
  init_daemon_run_dir(udev_var_run_t, "udev")
will trigger
  files_pid_filetrans(initrc_t, udev_var_run_t, dir, "udev")

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/init.if |   27 +++++++++++++++++++++++++++
 policy/modules/system/init.te |    5 +++++
 2 files changed, 32 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index d26fe81..0cce693 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -417,6 +417,33 @@ interface(`init_ranged_system_domain',`
 
 ########################################
 ## <summary>
+##	Mark the file type as a daemon run dir, allowing
+##	initrc_t to create it
+## </summary>
+## <param name="filetype">
+##	<summary>
+##	Type to mark as a daemon run dir
+##	</summary>
+## </param>
+## <param name="filename">
+##	<summary>
+##	Filename of the directory that the init script creates
+##	</summary>
+## </param>
+#
+interface(`init_daemon_run_dir',`
+	gen_require(`
+		attribute daemonrundir;
+		type initrc_t;
+	')
+
+	typeattribute $1 daemonrundir;
+
+	files_pid_filetrans(initrc_t, $1, dir, $2)
+')
+
+########################################
+## <summary>
 ##	Execute init (/sbin/init) with a domain transition.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 4a88fa1..bf167d5 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -29,6 +29,9 @@ attribute init_run_all_scripts_domain;
 # Mark process types as daemons
 attribute daemon;
 
+# Mark file type as a daemon run directory
+attribute daemonrundir;
+
 #
 # init_t is the domain of the init process.
 #
@@ -242,6 +245,8 @@ init_telinit(initrc_t)
 
 can_exec(initrc_t, init_script_file_type)
 
+create_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
+
 domtrans_pattern(init_run_all_scripts_domain, initrc_exec_t, initrc_t)
 
 manage_dirs_pattern(initrc_t, initrc_state_t, initrc_state_t)
-- 
1.7.8.6