From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Fri, 15 Aug 2014 11:39:31 +0200 Subject: [refpolicy] [PATCH 4/5] Introduce the tmpfiles_t domain In-Reply-To: <1408046012.8445.6.camel@x220.localdomain> References: <1407434738-11937-1-git-send-email-sven.vermeulen@siphos.be> <1407434738-11937-5-git-send-email-sven.vermeulen@siphos.be> <53ED1098.1000401@tresys.com> <1408046012.8445.6.camel@x220.localdomain> Message-ID: <20140815093931.GC5715@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, Aug 14, 2014 at 09:53:32PM +0200, Dominick Grift wrote: > On Thu, 2014-08-14 at 15:40 -0400, Christopher J. PeBenito wrote: > > On 8/7/2014 2:05 PM, Sven Vermeulen wrote: > > > +policy_module(tmpfiles, 1.0.0) > > [...] > > > +type tmpfiles_var_run_t; > > > +files_pid_file(tmpfiles_var_run_t) > > > > Nothing really jumped out at me as being a problem, but since most > > (all?) distributions have moved towards these files being in /run, I'd > > prefer to get away from having "var_run" in the type names. Why don't > > we go with something like tmpfiles_run_t or tmpfiles_pid_t? > > > > In that policy tmpfiles is allowed to create chars with type device_t > > Also this is not tmpfiles, this is a shell script that mimics tmpfiles I think that's a matter of looking at things. I see "tmpfiles" as the API and functionality as described by freedesktop.org, and the main implementation of it is systemd-tmpfiles, but other implementations exist as well. The reference policy has many examples of domains that are providing the rules for multiple implementations. > tmpfiles does not run setfiles, it uses libselinux I'll happily put the Gentoo specifics inside an ifdef(`distro_gentoo',...) block once I know which ones that would be. Wkr, Sven Vermeulen