From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Tue, 4 Mar 2014 19:15:00 +0100
Subject: [refpolicy] RFC init_daemon_run_file
In-Reply-To: <20140304172506.GA17317@siphos.be>
References: <20140304172506.GA17317@siphos.be>
Message-ID: <20140304181459.GA26996@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, Mar 04, 2014 at 06:25:07PM +0100, Sven Vermeulen wrote:
> A couple of init scripts create PID files for their respective daemons
> (domains) in the /run location. Right now, the SELinux policy supports
> transitions for directories that are created in /run through the
> init_daemon_run_dir() method.
[...]

bigon mentioned on #selinux that this was suggested end of 2012 [1]. There,
the suggestion was to generalize the existing method (init_daemon_run_dir)
to one that takes the class with it. However, there was no concensus on the
name (and "init_daemon_run" wouldn't cut it).

May I suggest the following?

interface(`init_script_generic_run_filetrans_spec',`
  gen_require(`
  	attribute daemonpidfile;
	type initrc_t;
  ')

  typeattribute $1 daemonpidfile;

  files_pid_filetrans(initrc_t, $1, $2, $3)
')

The name would be chosen due to the following:

- init_script_ (instead of init_) to identify that this is about initrc_t.
- generic_run_ to inform that we start from the generic run type (var_run_t)
- filetrans_ (because it is a file transition)
- spec (because it transitions to the specified type rather than a
  module-provided one).

Wkr,
	Sven Vermeulen