From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sat, 25 Aug 2012 20:25:06 +0200 Subject: [refpolicy] [PATCH v4 1/4] Introduce init_daemon_run_dir transformation In-Reply-To: <20120825182417.GA23427@siphos.be> References: <20120825182417.GA23427@siphos.be> Message-ID: <20120825182505.GB23427@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Due to the introduction of /run, many init scripts need to create the daemon run dirs (such as /run/udev for the udev init script). To simplify this, we introduce the "daemonrundir" attribute to which initrc_t has the necessary create_dirs_perms granted. Because it often needs to change the attributes or ownership of the directories as well, we also grant the setattr rights on the directory. Then, when needed, the modules can call this interface while adding the name of the directory. This will trigger a named file transition when initrc_t creates this directory: init_daemon_run_dir(udev_var_run_t, "udev") will trigger files_pid_filetrans(initrc_t, udev_var_run_t, dir, "udev") Signed-off-by: Sven Vermeulen --- policy/modules/system/init.if | 27 +++++++++++++++++++++++++++ policy/modules/system/init.te | 6 ++++++ 2 files changed, 33 insertions(+), 0 deletions(-) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index d26fe81..3f0c2d3 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -417,6 +417,33 @@ interface(`init_ranged_system_domain',` ######################################## ## +## Mark the file type as a daemon run dir, allowing initrc_t +## to create it +## +## +## +## Type to mark as a daemon run dir +## +## +## +## +## Filename of the directory that the init script creates +## +## +# +interface(`init_daemon_run_dir',` + gen_require(` + attribute daemonrundir; + type initrc_t; + ') + + typeattribute $1 daemonrundir; + + files_pid_filetrans(initrc_t, $1, dir, $2) +') + +######################################## +## ## Execute init (/sbin/init) with a domain transition. ## ## diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index f3c70ff..933f846 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -29,6 +29,9 @@ attribute init_run_all_scripts_domain; # Mark process types as daemons attribute daemon; +# Mark file type as a daemon run directory +attribute daemonrundir; + # # init_t is the domain of the init process. # @@ -242,6 +245,9 @@ init_telinit(initrc_t) can_exec(initrc_t, init_script_file_type) +create_dirs_pattern(initrc_t, daemonrundir, daemonrundir) +setattr_dirs_pattern(initrc_t, daemonrundir, daemonrundir) + domtrans_pattern(init_run_all_scripts_domain, initrc_exec_t, initrc_t) manage_dirs_pattern(initrc_t, initrc_state_t, initrc_state_t) -- 1.7.8.6