[refpolicy] [PATCH v2 2/2] Allow init scripts to create /run/mysqld and /run/dbus

[cpebenito@tresys.com (Christopher J. PeBenito)]

On 08/10/12 13:28, Sven Vermeulen wrote:
> On Tue, Aug 07, 2012 at 01:42:22PM -0400, Christopher J. PeBenito wrote:
>>> """
>>> type mysqld_var_run_t;
>>> files_pid_file(mysqld_var_run_t)
>>> files_dynamic_run_dir(mysqld_var_run_t, "mysqld")
>>> """
>>>
>>> This would then just have automatic file transitions for /run. period:
>>>
>>> interface(`files_dynamic_run_dir',`
>>>   gen_require(`
>>>     type var_run_t;
>>>   ')
>>>   filetrans_pattern(domain, var_run_t, $1, dir, $2)
>>> ')
>>>
>>> So if an init script, named init script, application domain or user
>>> does something like "mkdir /run/mysqld" then it automatically becomes
>>> mysqld_var_run_t.
>>
>> Well I wouldn't go with the above because its way too broad, unnecessarily 
>> gives access to all domains, and breaks encapsulation.  But the idea might
>> make more sense if we create a daemon pid file concept and allow initrc_t
>> to create all daemon pid file dirs.  It would be similarly structured as
>> your above examples.
> 
> So I've been thinking about this. Let's say we define an attribute called
> "daemonrundir" (or "daemonpidfile" [1]) and provide a transformation
> interface for that. In order to allow initrc_t to create these directories,
> we need to assign the name of the directory to use simultaneously with it.
> 
> # $1 = rundir type, $2 = name of directory
> interface(`files_daemon_run_dir',`
> 	gen_require(`
> 		attribute daemonrundir;
> 	')
> 
> 	typeattribute $1 daemonrundir;
> 
> 	init_generic_run_filetrans_specified_run_dir($1, $2)
> ')
> 
> Another interface would allow creating directories of types that have the
> daemonrundir attribute set:
> 
> # $1 = domain allowed access
> interface(`files_create_daemon_run_dir',`
> 	gen_require(`
> 		attribute daemonrundir;
> 	')
> 
> 	create_dirs_pattern($1, daemonrundir, daemonrundir)
> ')
> 
> The final one is the "weird" one, for which I don't know a good naming
> convention for:
> 
> # $1 = specified rundir type, $2 = name of the directory for which transition occurs
> interface(`init_generic_run_filetrans_specified_run_dir',`
> 	gen_require(`
> 		type initrc_t;
> 	')
> 
> 	files_pid_filetrans(initrc_t, $1, dir, $2)
> ')
> 
> Is this about what you had in mind (or could go for)?

I had something like this in mind, except in my mind daemonpidfile was going to live in init module, so the implementation would be simpler.  The daemon concept already exists in init, so it makes sense to me.


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com