[refpolicy] Defining per-service initrc domains
jsolt at tresys.com
Tue Dec 7 10:20:02 CST 2010
> -----Original Message-----
> From: refpolicy-bounces at oss.tresys.com
> [mailto:refpolicy-bounces at oss.tresys.com] On Behalf Of Stephen Smalley
> Sent: Tuesday, July 13, 2010 4:58 PM
> To: refpolicy at oss1.tresys.com
> Subject: [refpolicy] Defining per-service initrc domains
> We would like to be able to define a set of per-service
> initrc domains for particular rc scripts. Although there
> seem to be a number of per-service rc script file types (e.g.
> ftpd_initrc_exec_t), init_t still transitions to the single
> initrc_t domain on all of those file types.
> We want to instead launch the different rc scripts in
> distinct domains from which we can then define per-service
> domain and file type transitions as well as different permissions.
> At first I thought that the init_script_domain() interface
> might work for this purpose, but that yields a transition to
> the single initrc_t domain from init_t and unconfined_t and
> only transitions to the new domain if we started from
> initrc_t. Is that intentional or a mistake?
> I presume it is happening as a result of rules on the type
> attributes elsewhere outside of the interface itself.
> Is there any precedent for creating such per-service initrc domains?
> And do we have any interfaces for doing so?
> Stephen Smalley
> National Security Agency
I know it's been a while, but were you able to get this working
correctly? If not, I need some clarification. Were you trying to go from
init_t directly to ftpd_initrc_t over ftpd_initrc_exec_t (skipping
initrc_t completely)? Or just init_t -> initrc_t -> ftpd_initrc_t ->
I ran some tests on init_script_domain(). On a Fedora 13 system, I
tested this out with qpidd and saw the following transitions:
init_t -> initrc_t -> qpidd_initrc_t -> qpidd_t
On a RHEL 5 system, I installed reference policy (to make sure the
problem hadn't been fixed by Dan in Fedora's patches) and tried this
with the ntp daemon. My transitions:
init_t -> initrc_t ->ntpd_initrc_t -> ntpd_t
Is this the path you were looking for or am I misunderstanding the
jsolt at tresys.com | www.tresys.com
More information about the refpolicy