From: dev@emefes.com (Mladen Sekara) Date: Fri, 16 May 2014 14:16:47 +1000 Subject: [refpolicy] Single init script for multiple daemons Message-ID: <1400213807.25089.9.camel@4282a12macko> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Posted the question originally on main selinux mailing list, but as suggested it seems it belongs here. Apologies for long email. Anyway, I hope someone can provide some help and guidance. The problem: ---------------------------------------------------------------------- One application, multiple components/daemons. Some files are specific to a daemon, some are shared between them (eg. log files are unique, some config files, keystores... are shared etc.) All daemons start from a single init script and I am not allowed to change it. Options: 1. Create policy for each component and then domain transition between them (what about shared files, eg. init script that starts both daemons???) 2. Create a single policy for multiple daemons? ------------------------------------------------------------------------ Advice was to create a single policy with multiple domains for each daemon + domain for shared resources. Now, would this be the right approach: -------------------------------------------------------------------------- - Create a single policy with multiple domains -- Create separate domains for each daemon + domain for shared resources -- Transition between them where needed If the file structure is: /opt/myapp/bin/daemon1 (daemon1_exec_t) /opt/myapp/bin/daemon2 (daemon2_exec_t) /opt/myapp/bin/start_all - (start script for both daemon1 and daemon2) (myapp_initrc_exec_t) /opt/myapp/all_shared_resources (myapp_t) /etc/init.d/sym_link_to_start_all (sym link to /opt/myapp/bin/start_all) Can I have: type myapp_initrc_exec_t; init_script_file(myapp_initrc_exec_t) for daemon1: init_daemon_domain(daemon1_t, daemon1_exec_t) for daemon2: init_daemon_domain(daemon2_t, daemon2_exec_t) ... --------------------------------------------------------------------------- Any advice?