From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] RFC: Supporting tmpfiles policy-wise
Date: Wed, 30 Jul 2014 14:42:05 -0400 [thread overview]
Message-ID: <53D93C7D.4050101@tresys.com> (raw)
In-Reply-To: <20140729161202.GA12297@siphos.be>
On 7/29/2014 12:12 PM, Sven Vermeulen wrote:
> I'd like to hear from you about the following - given the discussion on this
> list earlier, I think the approach below is the best. Putting tmpfiles in
> the not-yet-available systemd policy might not be the best approach, as
> tmpfiles support will be needed in other init systems as well as upstream
> projects start supporting tmpfiles.d/*.conf.
>
> The tmpfiles application, as documented in [1], is used to prepare directory
> structures in runtime, volatile locations (such as /var/run, /run and
> perhaps even /tmp and /var/tmp).
>
> [1] http://www.freedesktop.org/software/systemd/man/tmpfiles.d.html
[...]
> In my humble opinion, this is a full-fledged application with a defined
> interface for administrators, and with specific privileges (creating &
> deleting resources all around the place). I think the best approach here
> would be to create a separate tmpfiles module, which
I agree that it should be its own module.
> - defines the (a.) directory as tmpfiles_usr_lib_t
> - defines the (b.) directory as tmpfiles_var_run_t
> - defines the (c.) directory as tmpfiles_conf_t
> - creates a tmpfiles_t domain that has
> -- read privileges on tmpfiles_{usr_lib,var_run,conf}_t
> -- create+write+delete privileges on pidfiles, device_t,
> device_node, tmp_t and so forth (cfr [1] documentation)
> -- capability to set labels on all resources
> - introduce the proper interface(s) to allow other domains to interact with
> the defined resource types
[...]
> As tmpfiles is SELinux-aware and performs restorecon (or similar) internally
> on the generated resources (at least from looking at the code, that is) we
> don't need to include many file transitions, instead make sure that the
> domain is capable of setting contexts.
If it's SELinux-aware, why doesn't it setfscreatecon() instead of
relabeling?
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2014-07-30 18:42 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-29 16:12 [refpolicy] RFC: Supporting tmpfiles policy-wise Sven Vermeulen
2014-07-30 18:42 ` Christopher J. PeBenito [this message]
2014-07-30 20:57 ` Jason Zaman
2014-08-02 8:23 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53D93C7D.4050101@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.