[refpolicy] Defining per-service initrc domains

Jeremy Solt jsolt at tresys.com
Tue Dec 7 10:20:02 CST 2010

> -----Original Message-----
> From: refpolicy-bounces at oss.tresys.com 
> [mailto:refpolicy-bounces at oss.tresys.com] On Behalf Of Stephen Smalley
> Sent: Tuesday, July 13, 2010 4:58 PM
> To: refpolicy at oss1.tresys.com
> Subject: [refpolicy] Defining per-service initrc domains
> Hi,
> We would like to be able to define a set of per-service 
> initrc domains for particular rc scripts.  Although there 
> seem to be a number of per-service rc script file types (e.g. 
> ftpd_initrc_exec_t), init_t still transitions to the single 
> initrc_t domain on all of those file types.
> We want to instead launch the different rc scripts in 
> distinct domains from which we can then define per-service 
> domain and file type transitions as well as different permissions.
> At first I thought that the init_script_domain() interface 
> might work for this purpose, but that yields a transition to 
> the single initrc_t domain from init_t and unconfined_t and 
> only transitions to the new domain if we started from 
> initrc_t.  Is that intentional or a mistake?
> I presume it is happening as a result of rules on the type 
> attributes elsewhere outside of the interface itself.
> Is there any precedent for creating such per-service initrc domains?
> And do we have any interfaces for doing so?
> --
> Stephen Smalley
> National Security Agency

Hi Stephen,

I know it's been a while, but were you able to get this working
correctly? If not, I need some clarification. Were you trying to go from
init_t directly to ftpd_initrc_t over ftpd_initrc_exec_t (skipping
initrc_t completely)? Or just init_t -> initrc_t -> ftpd_initrc_t ->
ftpd_t ?

I ran some tests on init_script_domain(). On a Fedora 13 system, I
tested this out with qpidd and saw the following transitions:
init_t -> initrc_t -> qpidd_initrc_t -> qpidd_t

On a RHEL 5 system, I installed reference policy (to make sure the
problem hadn't been fixed by Dan in Fedora's patches) and tried this
with the ntp daemon. My transitions:
init_t -> initrc_t ->ntpd_initrc_t -> ntpd_t

Is this the path you were looking for or am I misunderstanding the

Jeremy Solt
Tresys Technology
jsolt at tresys.com | www.tresys.com

More information about the refpolicy mailing list