[refpolicy] Defining per-service initrc domains

Paul Nuzzi pjnuzzi at tycho.ncsc.mil
Thu Dec 9 16:10:35 CST 2010

On 12/09/2010 02:49 PM, Stephen Smalley wrote:
> On Tue, 2010-12-07 at 11:20 -0500, Jeremy Solt wrote:
>> Hi Stephen,
>> I know it's been a while, but were you able to get this working
>> correctly? If not, I need some clarification. Were you trying to go from
>> init_t directly to ftpd_initrc_t over ftpd_initrc_exec_t (skipping
>> initrc_t completely)? Or just init_t -> initrc_t -> ftpd_initrc_t ->
>> ftpd_t ?
>> I ran some tests on init_script_domain(). On a Fedora 13 system, I
>> tested this out with qpidd and saw the following transitions:
>> init_t -> initrc_t -> qpidd_initrc_t -> qpidd_t
>> On a RHEL 5 system, I installed reference policy (to make sure the
>> problem hadn't been fixed by Dan in Fedora's patches) and tried this
>> with the ntp daemon. My transitions:
>> init_t -> initrc_t ->ntpd_initrc_t -> ntpd_t
>> Is this the path you were looking for or am I misunderstanding the
>> problem? 
> That sounds right, but it didn't seem to work for us.  We were trying it
> for the hadoop policy that has subsequently been merged, in order to get
> the hadoop daemons into the right domains.

We were having an issue where five different domains were being started with the same executable (hadoop_exec_t).  If I remember correctly, init_script_domain or init_daemon_domain wasn't allowing us to have multiple domain entries for one executable.  init_script_domain(hadoop_$1_initrc_t, hadoop_$1_initrc_exec_t) seemed to solve the problem.

More information about the refpolicy mailing list