From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Fri, 15 Aug 2014 11:39:31 +0200
Subject: [refpolicy] [PATCH 4/5] Introduce the tmpfiles_t domain
In-Reply-To: <1408046012.8445.6.camel@x220.localdomain>
References: <1407434738-11937-1-git-send-email-sven.vermeulen@siphos.be>
	<1407434738-11937-5-git-send-email-sven.vermeulen@siphos.be>
	<53ED1098.1000401@tresys.com>
	<1408046012.8445.6.camel@x220.localdomain>
Message-ID: <20140815093931.GC5715@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, Aug 14, 2014 at 09:53:32PM +0200, Dominick Grift wrote:
> On Thu, 2014-08-14 at 15:40 -0400, Christopher J. PeBenito wrote:
> > On 8/7/2014 2:05 PM, Sven Vermeulen wrote:
> > > +policy_module(tmpfiles, 1.0.0)
> > [...]
> > > +type tmpfiles_var_run_t;
> > > +files_pid_file(tmpfiles_var_run_t)
> > 
> > Nothing really jumped out at me as being a problem, but since most
> > (all?) distributions have moved towards these files being in /run, I'd
> > prefer to get away from having "var_run" in the type names.  Why don't
> > we go with something like tmpfiles_run_t or tmpfiles_pid_t?
> > 
> 
> In that policy tmpfiles is allowed to create chars with type device_t
> 
> Also this is not tmpfiles, this is a shell script that mimics tmpfiles

I think that's a matter of looking at things. I see "tmpfiles" as the API
and functionality as described by freedesktop.org, and the main
implementation of it is systemd-tmpfiles, but other implementations exist as
well.

The reference policy has many examples of domains that are providing the
rules for multiple implementations.

> tmpfiles does not run setfiles, it uses libselinux

I'll happily put the Gentoo specifics inside an ifdef(`distro_gentoo',...)
block once I know which ones that would be.

Wkr,
	Sven Vermeulen