From: dominick.grift@gmail.com (Dominick Grift) Date: Fri, 16 May 2014 14:09:11 +0200 Subject: [refpolicy] Single init script for multiple daemons In-Reply-To: <1400213807.25089.9.camel@4282a12macko> References: <1400213807.25089.9.camel@4282a12macko> Message-ID: <1400242151.444.4.camel@x220.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 2014-05-16 at 14:16 +1000, Mladen Sekara wrote: > Posted the question originally on main selinux mailing list, but as > suggested it seems it belongs here. Apologies for long email. > > Anyway, I hope someone can provide some help and guidance. > > The problem: > ---------------------------------------------------------------------- > One application, multiple components/daemons. > Some files are specific to a daemon, some are shared between them (eg. > log files are unique, some config files, keystores... are shared etc.) > > All daemons start from a single init script and I am not allowed to > change it. init_script_domain() will let init domain transition on the script to a specified domain, rather then initrc_t this allows you to to use that specified type to specify further domain transitions to each individual application. This allows you to confine various services all started from a single init script in individual domain. See the hadoop policy module for an example. Its a common issue with java services. Mind though that although this works in simple scenarios, it does have quirks in situations where you for example have to use run_init. But in simple common scenarios this solution should work