From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 23 Aug 2012 09:19:00 -0400
Subject: [refpolicy] [PATCH v3 1/3] Introduce init_daemon_run_dir
	transformation
In-Reply-To: <20120816112537.GA30585@siphos.be>
References: <20120814172720.GA10055@siphos.be>
	<20120814172817.GB10055@siphos.be>
	<20120816112537.GA30585@siphos.be>
Message-ID: <50362DC4.1010709@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/16/12 07:25, Sven Vermeulen wrote:
> On Tue, Aug 14, 2012 at 07:28:17PM +0200, Sven Vermeulen wrote:
>> Due to the introduction of /run, many init scripts need to create the daemon run
>> dirs (such as /run/udev for the udev init script). To simplify this, we
>> introduce the "daemonrundir" attribute to which initrc_t has the necessary
>> create_dirs_perms granted.
> [...]
>> @@ -242,6 +245,8 @@ init_telinit(initrc_t)
>>  
>>  can_exec(initrc_t, init_script_file_type)
>>  
>> +create_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
>> +
>>  domtrans_pattern(init_run_all_scripts_domain, initrc_exec_t, initrc_t)
>>  
>>  manage_dirs_pattern(initrc_t, initrc_state_t, initrc_state_t)
> 
> I seem to have a few cases where the init script is also responsible for
> changing the ownership of the directories (actually every time the service
> itself doesn't run as root), which would need the following added as well:
> 
> 	setattr_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
> 
> (or the allow-rule).
> 
> Does it make sense to add it here as well (so allow this generally)? If not,
> I'd need to enhance the initrc_t domain with all the necessary
> *_setattr_run_dir interface calls anyhow.

I'm ok with adding this.


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com