From: dominick.grift@gmail.com (grift) Date: Thu, 29 Nov 2012 18:58:59 +0100 Subject: [refpolicy] Transition of files and directories created by initscript In-Reply-To: <20121129174841.GA14171@siphos.be> References: <20121129180321.6a62fa6f@soldur.bigon.be> <20121129174841.GA14171@siphos.be> Message-ID: <1354211939.20999.14.camel@localhost> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 2012-11-29 at 18:49 +0100, Sven Vermeulen wrote: > On Thu, Nov 29, 2012 at 06:03:21PM +0100, Laurent Bigonville wrote: > > Currently there is the init_daemon_run_dir() interface that allows to > > transition directories in the correct context. Dominick has suggested me > > on IRC create a new interface to generalize to transition files > > (something like init_pid_initrc_spec_filetrans()). > > Why not add in an init_daemon_run_file() interface? I agree, that might indeed be a more elegant solution > It's perhaps a very personal opinion, but I find it easier to read: > > type mysqld_var_run_t; > files_pid_file(mysqld_var_run_t) > init_daemon_run_dir(mysqld_var_run_t, "mysqld") > > versus > > type mysqld_var_run_t; > files_pid_file(mysqld_var_run_t) > init_pid_initrc_spec_filetrans(mysqld_var_run_t, dir, "mysqld") I guess so yes. The spec also confuses me but i just look at it as "specified" and do not really place that into any context. > The _spec_ always throws me off, as spec_domtrans_pattern is to imply that > the domain itself is SELinux-aware and will specify a transition itself. For > a spec_filetrans, I would expect the same behavior (i.e. no automatic file > transition, but the domain itself is SELinux-aware and choses a new file > type) - only it doesn't make sense, since for file transitions, no > policy-wise rules are needed (just allow the domain write to the parent type > and create for the target type + relabel rights?) > > Wkr, > Sven Vermeulen > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy