From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 20 May 2014 09:24:28 -0400
Subject: [refpolicy] Single init script for multiple daemons
In-Reply-To: <1400413033.4570.36.camel@vaio-emefes-com>
References: <1400213807.25089.9.camel@4282a12macko>	<1400242151.444.4.camel@x220.localdomain>
	<1400413033.4570.36.camel@vaio-emefes-com>
Message-ID: <537B578C.2070909@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 05/18/2014 07:37 AM, Mladen Sekara wrote:
> Thanks Dominick.
> 
> Could you please elaborate a bit further on use of init_script_domain.
> 
> I had a look at hadoop policy module, but it seems haddop has multiple
> init scripts for different daemons (don't know much about hadoop and
> it's internals though). It has a reference to init_script_domain() in
> interface file, but with my SELinux experience, I couldn't make much
> sense of it.
> 
> In my case I have a single init script starting multiple daemons:
> 
> /etc/init.d/start_all (myapp_initrc_exec_t) -> /opt/myapp/start_all
> /opt/myapp/bin/daemon1 (domain1_exec_t)
> /opt/myapp/bin/daemon2 (domain_exec_t) 
> 
> So, just to clarify, in this case I would have:
> 
> init_script_domain(daemon1_t, daemon1_exec_t)... ???
> init_script_domain(daemon2_t, daemon2_exec_t)... ???
> 
> or
> init_daemon_domain(daemon1_t, daemon1_exec_t)
> init_daemon_domain(daemon2_t, daemon2_exec_t)

If your init script simply starts/stops your daemons, you probably don't need a new type for your init script (no need for init_script_domain()).  Since you want your two daemons to start up in separate domains, then you would use init_daemon_domain(), i.e. the second option above.  Then the private resources would be daemon1_*_t and daemon2_*_t and the shared resources would have their own type(s).

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com