[refpolicy] Transition of files and directories created by initscript

[dominick.grift@gmail.com (grift)]

On Thu, 2012-11-29 at 18:03 +0100, Laurent Bigonville wrote:
> Hello,
> 
> On Debian, several initscripts are creating both files (often pidfiles)
> and directories under /var/run.
> 
> Currently there is the init_daemon_run_dir() interface that allows to
> transition directories in the correct context. Dominick has suggested me
> on IRC create a new interface to generalize to transition files
> (something like init_pid_initrc_spec_filetrans()).
> 
> Does anybody have comments about this? About the name?
> 
> Cheers

Something like this is ugly and a compromize but it might work:

> From ec5d520859d207dde4ce5932b721a4dd7e9d6934 Thu, 29 Nov 2012 18:19:43 +0100
> From: Dominick Grift <dominick.grift@gmail.com>
> Date: Thu, 29 Nov 2012 18:18:36 +0100
> Subject: [PATCH] test
> 
> 
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 3f0c2d3..e78edf1 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -417,29 +417,33 @@
>  
>  ########################################
>  ## <summary>
> -##	Mark the file type as a daemon run dir, allowing initrc_t
> -##	to create it
> +##	Allow specified objects with specified
> +##	file types to be created by init
> +##	scripts with a type transition.
>  ## </summary>
> -## <param name="filetype">
> +## <param name="private_type">
>  ##	<summary>
> -##	Type to mark as a daemon run dir
> +##	Private file type.
>  ##	</summary>
>  ## </param>
> -## <param name="filename">
> +## <param name="object_class">
>  ##	<summary>
> -##	Filename of the directory that the init script creates
> +##	Class of the object being created.
> +##	</summary>
> +## </param>
> +## <param name="name" optional="true">
> +##	<summary>
> +##	The name of the object being created.
>  ##	</summary>
>  ## </param>
>  #
> -interface(`init_daemon_run_dir',`
> +interface(`init_script_spec_run_content',`
>  	gen_require(`
> -		attribute daemonrundir;
>  		type initrc_t;
>  	')
>  
> -	typeattribute $1 daemonrundir;
> -
> -	files_pid_filetrans(initrc_t, $1, dir, $2)
> +	allow initrc_t $1:$2 { create open getattr setattr read write append rename link unlink ioctl lock };
> +	files_pid_filetrans(initrc_t, $1, $2, $3)
>  ')
>  
>  ########################################
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 5f2a36a..5114154 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -29,9 +29,6 @@
>  # Mark process types as daemons
>  attribute daemon;
>  
> -# Mark file type as a daemon run directory
> -attribute daemonrundir;
> -
>  #
>  # init_t is the domain of the init process.
>  #
> @@ -244,9 +241,6 @@
>  init_telinit(initrc_t)
>  
>  can_exec(initrc_t, init_script_file_type)
> -
> -create_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
> -setattr_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
>  
>  domtrans_pattern(init_run_all_scripts_domain, initrc_exec_t, initrc_t)
>  
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index a2a4167..00bf416 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -25,7 +25,7 @@
>  
>  type udev_var_run_t;
>  files_pid_file(udev_var_run_t)
> -init_daemon_run_dir(udev_var_run_t, "udev")
> +init_script_spec_run_content(udev_var_run_t, { lnk_file dir }, "udev")
>  
>  ifdef(`enable_mcs',`
>  	kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)


> Laurent Bigonville
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy