From: dev@emefes.com (Mladen Sekara) Date: Thu, 22 May 2014 00:13:43 +1000 Subject: [refpolicy] Single init script for multiple daemons In-Reply-To: <537B578C.2070909@tresys.com> References: <1400213807.25089.9.camel@4282a12macko> <1400242151.444.4.camel@x220.localdomain> <1400413033.4570.36.camel@vaio-emefes-com> <537B578C.2070909@tresys.com> Message-ID: <1400681623.5630.18.camel@vaio-emefes-com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Thanks for that. I think this will give me enough to start. Just for clarity, what is the difference between the init_script_domain() and init_daemon_domain(): - init_script_domain() - transition to the init script domain via init script as an entry point to that domain? - init_daemon_domain() - transition to the actual daemon domain via an daemon entry point? -- Mladen Sekara On Tue, 2014-05-20 at 09:24 -0400, Christopher J. PeBenito wrote: > On 05/18/2014 07:37 AM, Mladen Sekara wrote: > > Thanks Dominick. > > > > Could you please elaborate a bit further on use of init_script_domain. > > > > I had a look at hadoop policy module, but it seems haddop has multiple > > init scripts for different daemons (don't know much about hadoop and > > it's internals though). It has a reference to init_script_domain() in > > interface file, but with my SELinux experience, I couldn't make much > > sense of it. > > > > In my case I have a single init script starting multiple daemons: > > > > /etc/init.d/start_all (myapp_initrc_exec_t) -> /opt/myapp/start_all > > /opt/myapp/bin/daemon1 (domain1_exec_t) > > /opt/myapp/bin/daemon2 (domain_exec_t) > > > > So, just to clarify, in this case I would have: > > > > init_script_domain(daemon1_t, daemon1_exec_t)... ??? > > init_script_domain(daemon2_t, daemon2_exec_t)... ??? > > > > or > > init_daemon_domain(daemon1_t, daemon1_exec_t) > > init_daemon_domain(daemon2_t, daemon2_exec_t) > > If your init script simply starts/stops your daemons, you probably don't need a new type for your init script (no need for init_script_domain()). Since you want your two daemons to start up in separate domains, then you would use init_daemon_domain(), i.e. the second option above. Then the private resources would be daemon1_*_t and daemon2_*_t and the shared resources would have their own type(s). >