From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Thu, 29 Nov 2012 18:49:24 +0100
Subject: [refpolicy] Transition of files and directories created by
 initscript
In-Reply-To: <20121129180321.6a62fa6f@soldur.bigon.be>
References: <20121129180321.6a62fa6f@soldur.bigon.be>
Message-ID: <20121129174841.GA14171@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, Nov 29, 2012 at 06:03:21PM +0100, Laurent Bigonville wrote:
> Currently there is the init_daemon_run_dir() interface that allows to
> transition directories in the correct context. Dominick has suggested me
> on IRC create a new interface to generalize to transition files
> (something like init_pid_initrc_spec_filetrans()).

Why not add in an init_daemon_run_file() interface?

It's perhaps a very personal opinion, but I find it easier to read:

  type mysqld_var_run_t;
  files_pid_file(mysqld_var_run_t)
  init_daemon_run_dir(mysqld_var_run_t, "mysqld")

versus

  type mysqld_var_run_t;
  files_pid_file(mysqld_var_run_t)
  init_pid_initrc_spec_filetrans(mysqld_var_run_t, dir, "mysqld")

The _spec_ always throws me off, as spec_domtrans_pattern is to imply that
the domain itself is SELinux-aware and will specify a transition itself. For
a spec_filetrans, I would expect the same behavior (i.e. no automatic file
transition, but the domain itself is SELinux-aware and choses a new file
type) - only it doesn't make sense, since for file transitions, no
policy-wise rules are needed (just allow the domain write to the parent type
and create for the target type + relabel rights?)

Wkr,
	Sven Vermeulen