* [refpolicy] [PATCH v2 0/2] More /run changes @ 2012-07-31 17:46 Sven Vermeulen 2012-07-31 17:46 ` [refpolicy] [PATCH v2 1/2] DHCP client's hooks create /run/dhcpc directory Sven Vermeulen 2012-07-31 17:46 ` [refpolicy] [PATCH v2 2/2] Allow init scripts to create /run/mysqld and /run/dbus Sven Vermeulen 0 siblings, 2 replies; 12+ messages in thread From: Sven Vermeulen @ 2012-07-31 17:46 UTC (permalink / raw) To: refpolicy This set contains a few more /run changes: - dhcpc creates /run/dhcpc (through scripts in the dhcpcd-hooks) - dbus' init script creates /run/dbus - mysql' init script creates /run/mysqld It will be submitted separately: first the changes to the contrib modules, followed by the changes to the core policy modules. This is the part for the core modules Changes since v1 ---------------- - The init script for mysql also needs setattr rights on the run dirs Sven Vermeulen (2): DHCP client's hooks create /run/dhcpc directory Allow init scripts to create /run/mysqld and /run/dbus policy/modules/system/init.te | 7 ++++++- policy/modules/system/sysnetwork.te | 3 ++- 2 files changed, 8 insertions(+), 2 deletions(-) -- 1.7.8.6 ^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] [PATCH v2 1/2] DHCP client's hooks create /run/dhcpc directory 2012-07-31 17:46 [refpolicy] [PATCH v2 0/2] More /run changes Sven Vermeulen @ 2012-07-31 17:46 ` Sven Vermeulen 2012-08-07 17:22 ` Christopher J. PeBenito 2012-07-31 17:46 ` [refpolicy] [PATCH v2 2/2] Allow init scripts to create /run/mysqld and /run/dbus Sven Vermeulen 1 sibling, 1 reply; 12+ messages in thread From: Sven Vermeulen @ 2012-07-31 17:46 UTC (permalink / raw) To: refpolicy This directory contains the working files for updating network-related files (like resolv.conf for name servers) before they are copied to the fixed location. Although already in use previously, this location (/var/run/dhcpc or /var/run/dhcpcd) was statically defined on the system. With the introduction of /run and systems having /var/run -> /run, this is now a dynamically created directory by dhcpc_t. Hence, the policy is enhanced allowing dhcpc_t to manage dhcpc_var_run_t directories, and include a file transition for directories created in the var_run_t location(s). Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> --- policy/modules/system/sysnetwork.te | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 8aed9d0..f3f9d47 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -65,7 +65,8 @@ filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file) # create pid file manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) -files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file) +manage_dirs_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) +files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir }) # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # in /etc created by dhcpcd will be labelled net_conf_t. -- 1.7.8.6 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* [refpolicy] [PATCH v2 1/2] DHCP client's hooks create /run/dhcpc directory 2012-07-31 17:46 ` [refpolicy] [PATCH v2 1/2] DHCP client's hooks create /run/dhcpc directory Sven Vermeulen @ 2012-08-07 17:22 ` Christopher J. PeBenito 0 siblings, 0 replies; 12+ messages in thread From: Christopher J. PeBenito @ 2012-08-07 17:22 UTC (permalink / raw) To: refpolicy On 07/31/12 13:46, Sven Vermeulen wrote: > This directory contains the working files for updating network-related files > (like resolv.conf for name servers) before they are copied to the fixed > location. Although already in use previously, this location (/var/run/dhcpc or > /var/run/dhcpcd) was statically defined on the system. > > With the introduction of /run and systems having /var/run -> /run, this is now a > dynamically created directory by dhcpc_t. Hence, the policy is enhanced allowing > dhcpc_t to manage dhcpc_var_run_t directories, and include a file transition for > directories created in the var_run_t location(s). > > Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> > --- > policy/modules/system/sysnetwork.te | 3 ++- > 1 files changed, 2 insertions(+), 1 deletions(-) > > diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te > index 8aed9d0..f3f9d47 100644 > --- a/policy/modules/system/sysnetwork.te > +++ b/policy/modules/system/sysnetwork.te > @@ -65,7 +65,8 @@ filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file) > > # create pid file > manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) > -files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file) > +manage_dirs_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) Does it actually delete dirs? Wouldn't create_dirs_pattern() be sufficient? > +files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir }) -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] [PATCH v2 2/2] Allow init scripts to create /run/mysqld and /run/dbus 2012-07-31 17:46 [refpolicy] [PATCH v2 0/2] More /run changes Sven Vermeulen 2012-07-31 17:46 ` [refpolicy] [PATCH v2 1/2] DHCP client's hooks create /run/dhcpc directory Sven Vermeulen @ 2012-07-31 17:46 ` Sven Vermeulen 2012-08-07 17:20 ` Christopher J. PeBenito 1 sibling, 1 reply; 12+ messages in thread From: Sven Vermeulen @ 2012-07-31 17:46 UTC (permalink / raw) To: refpolicy Allow the init scripts to create /run/mysqld and /run/dbus with the proper file transition in place Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> --- policy/modules/system/init.te | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 6ae70ea..e389323 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -626,6 +626,8 @@ optional_policy(` optional_policy(` dbus_connect_system_bus(initrc_t) + dbus_create_system_dbusd_run_dirs(initrc_t) + dbus_generic_pid_filetrans_system_dbusd_run(initrc_t, dir, "dbus") dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -738,9 +740,12 @@ optional_policy(` mysql_manage_db_dirs(initrc_t) ') + mysql_create_run_dirs(initrc_t) + mysql_generic_run_filetrans_pid(initrc_t, dir, "mysqld") + mysql_read_config(initrc_t) + mysql_setattr_run_dirs(initrc_t) mysql_stream_connect(initrc_t) mysql_write_log(initrc_t) - mysql_read_config(initrc_t) ') optional_policy(` -- 1.7.8.6 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* [refpolicy] [PATCH v2 2/2] Allow init scripts to create /run/mysqld and /run/dbus 2012-07-31 17:46 ` [refpolicy] [PATCH v2 2/2] Allow init scripts to create /run/mysqld and /run/dbus Sven Vermeulen @ 2012-08-07 17:20 ` Christopher J. PeBenito 2012-08-07 17:35 ` Sven Vermeulen 0 siblings, 1 reply; 12+ messages in thread From: Christopher J. PeBenito @ 2012-08-07 17:20 UTC (permalink / raw) To: refpolicy On 07/31/12 13:46, Sven Vermeulen wrote: > Allow the init scripts to create /run/mysqld and /run/dbus with the proper file > transition in place > > Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> > --- > policy/modules/system/init.te | 7 ++++++- > 1 files changed, 6 insertions(+), 1 deletions(-) > > diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te > index 6ae70ea..e389323 100644 > --- a/policy/modules/system/init.te > +++ b/policy/modules/system/init.te > @@ -626,6 +626,8 @@ optional_policy(` > > optional_policy(` > dbus_connect_system_bus(initrc_t) > + dbus_create_system_dbusd_run_dirs(initrc_t) > + dbus_generic_pid_filetrans_system_dbusd_run(initrc_t, dir, "dbus") > dbus_system_bus_client(initrc_t) > dbus_read_config(initrc_t) > > @@ -738,9 +740,12 @@ optional_policy(` > mysql_manage_db_dirs(initrc_t) > ') > > + mysql_create_run_dirs(initrc_t) > + mysql_generic_run_filetrans_pid(initrc_t, dir, "mysqld") > + mysql_read_config(initrc_t) > + mysql_setattr_run_dirs(initrc_t) > mysql_stream_connect(initrc_t) > mysql_write_log(initrc_t) > - mysql_read_config(initrc_t) It seems that there would be a couple possibilities to think about. The first would be to consider making init script domains for these services because their init scripts do so much. The second would be to investigate the possibility of some set of interfaces (probably reverse) so that we don't have to update init with all of the /run directory creation rules. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] [PATCH v2 2/2] Allow init scripts to create /run/mysqld and /run/dbus 2012-08-07 17:20 ` Christopher J. PeBenito @ 2012-08-07 17:35 ` Sven Vermeulen 2012-08-07 17:42 ` Christopher J. PeBenito 0 siblings, 1 reply; 12+ messages in thread From: Sven Vermeulen @ 2012-08-07 17:35 UTC (permalink / raw) To: refpolicy On Tue, Aug 7, 2012 at 7:20 PM, Christopher J. PeBenito <cpebenito@tresys.com> wrote: > It seems that there would be a couple possibilities to think about. The first would be to > consider making init script domains for these services because their init scripts do so > much. The second would be to investigate the possibility of some set of interfaces > (probably reverse) so that we don't have to update init with all of the /run directory > creation rules. I have been thinking (and playing) with the interface idea too. However, it would go away from the current "domain-driven" interfaces (where almost all interfaces' first argument is the domain on which it has effect) which might seem awkward to use (and I haven't the faintest idea how to call the interface then). Something like "init_generic_run_init_create_run_dirs(mysqld_var_run_t, "mysqld")" which allows initrc_t to create the "mysqld" directory in var_run_t with an automatic type transition towards mysqld_var_run_t. Another idea I had was to transform the run directories, like so: """ type mysqld_var_run_t; files_pid_file(mysqld_var_run_t) files_dynamic_run_dir(mysqld_var_run_t, "mysqld") """ This would then just have automatic file transitions for /run. period: interface(`files_dynamic_run_dir',` gen_require(` type var_run_t; ') filetrans_pattern(domain, var_run_t, $1, dir, $2) ') So if an init script, named init script, application domain or user does something like "mkdir /run/mysqld" then it automatically becomes mysqld_var_run_t. ^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] [PATCH v2 2/2] Allow init scripts to create /run/mysqld and /run/dbus 2012-08-07 17:35 ` Sven Vermeulen @ 2012-08-07 17:42 ` Christopher J. PeBenito 2012-08-07 17:59 ` Sven Vermeulen 2012-08-10 17:28 ` Sven Vermeulen 0 siblings, 2 replies; 12+ messages in thread From: Christopher J. PeBenito @ 2012-08-07 17:42 UTC (permalink / raw) To: refpolicy On 08/07/12 13:35, Sven Vermeulen wrote: > On Tue, Aug 7, 2012 at 7:20 PM, Christopher J. PeBenito > <cpebenito@tresys.com> wrote: >> It seems that there would be a couple possibilities to think about. The first would be to >> consider making init script domains for these services because their init scripts do so >> much. The second would be to investigate the possibility of some set of interfaces >> (probably reverse) so that we don't have to update init with all of the /run directory >> creation rules. > > I have been thinking (and playing) with the interface idea too. > However, it would go away from the current "domain-driven" interfaces > (where almost all interfaces' first argument is the domain on which it > has effect) which might seem awkward to use (and I haven't the > faintest idea how to call the interface then). > > Something like "init_generic_run_init_create_run_dirs(mysqld_var_run_t, > "mysqld")" which allows initrc_t to create the "mysqld" directory in > var_run_t with an automatic type transition towards mysqld_var_run_t. > > Another idea I had was to transform the run directories, like so: > > """ > type mysqld_var_run_t; > files_pid_file(mysqld_var_run_t) > files_dynamic_run_dir(mysqld_var_run_t, "mysqld") > """ > > This would then just have automatic file transitions for /run. period: > > interface(`files_dynamic_run_dir',` > gen_require(` > type var_run_t; > ') > filetrans_pattern(domain, var_run_t, $1, dir, $2) > ') > > So if an init script, named init script, application domain or user > does something like "mkdir /run/mysqld" then it automatically becomes > mysqld_var_run_t. Well I wouldn't go with the above because its way too broad, unnecessarily gives access to all domains, and breaks encapsulation. But the idea might make more sense if we create a daemon pid file concept and allow initrc_t to create all daemon pid file dirs. It would be similarly structured as your above examples. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] [PATCH v2 2/2] Allow init scripts to create /run/mysqld and /run/dbus 2012-08-07 17:42 ` Christopher J. PeBenito @ 2012-08-07 17:59 ` Sven Vermeulen 2012-08-07 18:04 ` Dominick Grift 2012-08-10 17:28 ` Sven Vermeulen 1 sibling, 1 reply; 12+ messages in thread From: Sven Vermeulen @ 2012-08-07 17:59 UTC (permalink / raw) To: refpolicy On Tue, Aug 7, 2012 at 7:42 PM, Christopher J. PeBenito <cpebenito@tresys.com> wrote: >> So if an init script, named init script, application domain or user >> does something like "mkdir /run/mysqld" then it automatically becomes >> mysqld_var_run_t. > > Well I wouldn't go with the above because its way too broad, unnecessarily gives > access to all domains, and breaks encapsulation. But the idea might make more > sense if we create a daemon pid file concept and allow initrc_t to create all daemon > pid file dirs. It would be similarly structured as your above examples. I generally agree, but there are probably many "corner cases". I mentioned one for DHCP before (which needs it instead of initrc_t), another one is in the pipeline (tor, gentoo bug #429486). I imagine there are quite a few others as well. However, the "corner cases" don't have the downside of having three different parties (initrc_t, var_run_t, <domain>_var_run_t) so can be more easily updated: files_pid_filetrans(tor_t, tor_var_run_t, dir, "tor") in tor.te (assuming this is what the bug is about, haven't seen it in detail yet). I'll try with daemonpidfile and see how far we get. Thanks for the feedback, Sven Vermeulen ^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] [PATCH v2 2/2] Allow init scripts to create /run/mysqld and /run/dbus 2012-08-07 17:59 ` Sven Vermeulen @ 2012-08-07 18:04 ` Dominick Grift 2012-08-07 18:28 ` Christopher J. PeBenito 0 siblings, 1 reply; 12+ messages in thread From: Dominick Grift @ 2012-08-07 18:04 UTC (permalink / raw) To: refpolicy On Tue, 2012-08-07 at 19:59 +0200, Sven Vermeulen wrote: > On Tue, Aug 7, 2012 at 7:42 PM, Christopher J. PeBenito > <cpebenito@tresys.com> wrote: > >> So if an init script, named init script, application domain or user > >> does something like "mkdir /run/mysqld" then it automatically becomes > >> mysqld_var_run_t. > > > > Well I wouldn't go with the above because its way too broad, unnecessarily gives > > access to all domains, and breaks encapsulation. But the idea might make more > > sense if we create a daemon pid file concept and allow initrc_t to create all daemon > > pid file dirs. It would be similarly structured as your above examples. > > I generally agree, but there are probably many "corner cases". I > mentioned one for DHCP before (which needs it instead of initrc_t), > another one is in the pipeline (tor, gentoo bug #429486). I imagine > there are quite a few others as well. > > However, the "corner cases" don't have the downside of having three > different parties (initrc_t, var_run_t, <domain>_var_run_t) so can be > more easily updated: > files_pid_filetrans(tor_t, tor_var_run_t, dir, "tor") in tor.te > (assuming this is what the bug is about, haven't seen it in detail > yet). > > I'll try with daemonpidfile and see how far we get. About initrc_t creating all these objects on /run and other tmpfs. I think we should make that conditional. Reasons: Not all systems use /run (older systems probably don't have run) In systems with systemd, systemd-tmpfilesd takes care of creation of this content. Although the initrc_t domain is considered trusted anyways. So i am not sure. Your input on this issue? > Thanks for the feedback, > Sven Vermeulen > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy ^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] [PATCH v2 2/2] Allow init scripts to create /run/mysqld and /run/dbus 2012-08-07 18:04 ` Dominick Grift @ 2012-08-07 18:28 ` Christopher J. PeBenito 0 siblings, 0 replies; 12+ messages in thread From: Christopher J. PeBenito @ 2012-08-07 18:28 UTC (permalink / raw) To: refpolicy On 08/07/12 14:04, Dominick Grift wrote: > On Tue, 2012-08-07 at 19:59 +0200, Sven Vermeulen wrote: >> On Tue, Aug 7, 2012 at 7:42 PM, Christopher J. PeBenito >> <cpebenito@tresys.com> wrote: >>>> So if an init script, named init script, application domain or user >>>> does something like "mkdir /run/mysqld" then it automatically becomes >>>> mysqld_var_run_t. >>> >>> Well I wouldn't go with the above because its way too broad, unnecessarily gives >>> access to all domains, and breaks encapsulation. But the idea might make more >>> sense if we create a daemon pid file concept and allow initrc_t to create all daemon >>> pid file dirs. It would be similarly structured as your above examples. >> >> I generally agree, but there are probably many "corner cases". I >> mentioned one for DHCP before (which needs it instead of initrc_t), >> another one is in the pipeline (tor, gentoo bug #429486). I imagine >> there are quite a few others as well. >> >> However, the "corner cases" don't have the downside of having three >> different parties (initrc_t, var_run_t, <domain>_var_run_t) so can be >> more easily updated: >> files_pid_filetrans(tor_t, tor_var_run_t, dir, "tor") in tor.te >> (assuming this is what the bug is about, haven't seen it in detail >> yet). >> >> I'll try with daemonpidfile and see how far we get. > > About initrc_t creating all these objects on /run and other tmpfs. > > I think we should make that conditional. > > Reasons: > > Not all systems use /run (older systems probably don't have run) > In systems with systemd, systemd-tmpfilesd takes care of creation of > this content. > > Although the initrc_t domain is considered trusted anyways. So i am not > sure. Your input on this issue? Its a valid point, but my current feeling is that its ok. Just as you say, initrc_t is trusted. If it is doing bad things, the system is in bad shape and extra directory creation perms in (/var)?/run is the least of your concerns. If its a concern, we could always move to init script domains (eg httpd_initrc_t). Thats a significant effort, but it would separate out a bunch of initrc_t's permissions. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] [PATCH v2 2/2] Allow init scripts to create /run/mysqld and /run/dbus 2012-08-07 17:42 ` Christopher J. PeBenito 2012-08-07 17:59 ` Sven Vermeulen @ 2012-08-10 17:28 ` Sven Vermeulen 2012-08-14 12:19 ` Christopher J. PeBenito 1 sibling, 1 reply; 12+ messages in thread From: Sven Vermeulen @ 2012-08-10 17:28 UTC (permalink / raw) To: refpolicy On Tue, Aug 07, 2012 at 01:42:22PM -0400, Christopher J. PeBenito wrote: > > """ > > type mysqld_var_run_t; > > files_pid_file(mysqld_var_run_t) > > files_dynamic_run_dir(mysqld_var_run_t, "mysqld") > > """ > > > > This would then just have automatic file transitions for /run. period: > > > > interface(`files_dynamic_run_dir',` > > gen_require(` > > type var_run_t; > > ') > > filetrans_pattern(domain, var_run_t, $1, dir, $2) > > ') > > > > So if an init script, named init script, application domain or user > > does something like "mkdir /run/mysqld" then it automatically becomes > > mysqld_var_run_t. > > Well I wouldn't go with the above because its way too broad, unnecessarily > gives access to all domains, and breaks encapsulation. But the idea might > make more sense if we create a daemon pid file concept and allow initrc_t > to create all daemon pid file dirs. It would be similarly structured as > your above examples. So I've been thinking about this. Let's say we define an attribute called "daemonrundir" (or "daemonpidfile" [1]) and provide a transformation interface for that. In order to allow initrc_t to create these directories, we need to assign the name of the directory to use simultaneously with it. # $1 = rundir type, $2 = name of directory interface(`files_daemon_run_dir',` gen_require(` attribute daemonrundir; ') typeattribute $1 daemonrundir; init_generic_run_filetrans_specified_run_dir($1, $2) ') Another interface would allow creating directories of types that have the daemonrundir attribute set: # $1 = domain allowed access interface(`files_create_daemon_run_dir',` gen_require(` attribute daemonrundir; ') create_dirs_pattern($1, daemonrundir, daemonrundir) ') The final one is the "weird" one, for which I don't know a good naming convention for: # $1 = specified rundir type, $2 = name of the directory for which transition occurs interface(`init_generic_run_filetrans_specified_run_dir',` gen_require(` type initrc_t; ') files_pid_filetrans(initrc_t, $1, dir, $2) ') Is this about what you had in mind (or could go for)? It would mean we just need to do things like: diff --git a/tor.te b/tor.te index c842cad..6a0547a 100644 --- a/tor.te +++ b/tor.te @@ -35,6 +35,7 @@ logging_log_file(tor_var_log_t) # pid files type tor_var_run_t; files_pid_file(tor_var_run_t) +files_daemon_run_dir(tor_var_run_t, "tor") Another possibility would be to make it part of the files_pid_file() transformation (with an optional second parameter) but I don't think we can do stuff like the following, can we? ifdef(`$2',` # some additional statements if $2 is present ') Wkr, Sven Vermeulen [1] I am considering using "run" instead of "pid" for most purposes since PID files are nowadays the minority of stuff that is labeled with *_var_run_t. ^ permalink raw reply related [flat|nested] 12+ messages in thread
* [refpolicy] [PATCH v2 2/2] Allow init scripts to create /run/mysqld and /run/dbus 2012-08-10 17:28 ` Sven Vermeulen @ 2012-08-14 12:19 ` Christopher J. PeBenito 0 siblings, 0 replies; 12+ messages in thread From: Christopher J. PeBenito @ 2012-08-14 12:19 UTC (permalink / raw) To: refpolicy On 08/10/12 13:28, Sven Vermeulen wrote: > On Tue, Aug 07, 2012 at 01:42:22PM -0400, Christopher J. PeBenito wrote: >>> """ >>> type mysqld_var_run_t; >>> files_pid_file(mysqld_var_run_t) >>> files_dynamic_run_dir(mysqld_var_run_t, "mysqld") >>> """ >>> >>> This would then just have automatic file transitions for /run. period: >>> >>> interface(`files_dynamic_run_dir',` >>> gen_require(` >>> type var_run_t; >>> ') >>> filetrans_pattern(domain, var_run_t, $1, dir, $2) >>> ') >>> >>> So if an init script, named init script, application domain or user >>> does something like "mkdir /run/mysqld" then it automatically becomes >>> mysqld_var_run_t. >> >> Well I wouldn't go with the above because its way too broad, unnecessarily >> gives access to all domains, and breaks encapsulation. But the idea might >> make more sense if we create a daemon pid file concept and allow initrc_t >> to create all daemon pid file dirs. It would be similarly structured as >> your above examples. > > So I've been thinking about this. Let's say we define an attribute called > "daemonrundir" (or "daemonpidfile" [1]) and provide a transformation > interface for that. In order to allow initrc_t to create these directories, > we need to assign the name of the directory to use simultaneously with it. > > # $1 = rundir type, $2 = name of directory > interface(`files_daemon_run_dir',` > gen_require(` > attribute daemonrundir; > ') > > typeattribute $1 daemonrundir; > > init_generic_run_filetrans_specified_run_dir($1, $2) > ') > > Another interface would allow creating directories of types that have the > daemonrundir attribute set: > > # $1 = domain allowed access > interface(`files_create_daemon_run_dir',` > gen_require(` > attribute daemonrundir; > ') > > create_dirs_pattern($1, daemonrundir, daemonrundir) > ') > > The final one is the "weird" one, for which I don't know a good naming > convention for: > > # $1 = specified rundir type, $2 = name of the directory for which transition occurs > interface(`init_generic_run_filetrans_specified_run_dir',` > gen_require(` > type initrc_t; > ') > > files_pid_filetrans(initrc_t, $1, dir, $2) > ') > > Is this about what you had in mind (or could go for)? I had something like this in mind, except in my mind daemonpidfile was going to live in init module, so the implementation would be simpler. The daemon concept already exists in init, so it makes sense to me. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2012-08-14 12:19 UTC | newest] Thread overview: 12+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2012-07-31 17:46 [refpolicy] [PATCH v2 0/2] More /run changes Sven Vermeulen 2012-07-31 17:46 ` [refpolicy] [PATCH v2 1/2] DHCP client's hooks create /run/dhcpc directory Sven Vermeulen 2012-08-07 17:22 ` Christopher J. PeBenito 2012-07-31 17:46 ` [refpolicy] [PATCH v2 2/2] Allow init scripts to create /run/mysqld and /run/dbus Sven Vermeulen 2012-08-07 17:20 ` Christopher J. PeBenito 2012-08-07 17:35 ` Sven Vermeulen 2012-08-07 17:42 ` Christopher J. PeBenito 2012-08-07 17:59 ` Sven Vermeulen 2012-08-07 18:04 ` Dominick Grift 2012-08-07 18:28 ` Christopher J. PeBenito 2012-08-10 17:28 ` Sven Vermeulen 2012-08-14 12:19 ` Christopher J. PeBenito
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.