From: dominick.grift@gmail.com (Dominick Grift)
Date: Fri, 16 May 2014 14:09:11 +0200
Subject: [refpolicy] Single init script for multiple daemons
In-Reply-To: <1400213807.25089.9.camel@4282a12macko>
References: <1400213807.25089.9.camel@4282a12macko>
Message-ID: <1400242151.444.4.camel@x220.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com


On Fri, 2014-05-16 at 14:16 +1000, Mladen Sekara wrote:
> Posted the question originally on main selinux mailing list, but as
> suggested it seems it belongs here. Apologies for long email.
> 
> Anyway, I hope someone can provide some help and guidance.
> 
> The problem:
> ----------------------------------------------------------------------
> One application, multiple components/daemons.
> Some files are specific to a daemon, some are shared between them (eg.
> log files are unique, some config files, keystores... are shared etc.)
> 
> All daemons start from a single init script and I am not allowed to
> change it.

init_script_domain() will let init domain transition on the script to a
specified domain, rather then initrc_t

this allows you to to use that specified type to specify further domain
transitions to each individual application.

This allows you to confine various services all started from a single
init script in individual domain.

See the hadoop policy module for an example.

Its a common issue with java services.

Mind though that although this works in simple scenarios, it does have
quirks in situations where you for example have to use run_init.

But in simple common scenarios this solution should work