[refpolicy] [PATCH v4 2/5] Supporting interfaces for the /run changes

Sven Vermeulen sven.vermeulen at siphos.be
Thu Jul 12 12:17:54 CDT 2012


Since most distributions now support /run (which, thanks the the
file context substitutions, is marked as var_run_t), we need to update the
SELinux policies to support "dynamically" building up /run. Unlike /var/run,
which is most likely statically defined during distribution installation, /run
is a tmpfs which is built up from scratch on each and every boot.

But not only that, many services also use this location for other purposes than
just PID files (which is to be expected as these "other reasons" is why /run
came to be in the first place), so we need to support other types within this
location easily.

For this reason, we introduce support to
- creating the /run/lock location
- supporting named file transitions when init scripts create stuff in /run

Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
---
 policy/modules/kernel/files.if |   61 ++++++++++++++++++++++++++++++++++++++++
 1 files changed, 61 insertions(+), 0 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 41346fb..e951402 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -5608,6 +5608,26 @@ interface(`files_list_locks',`
 
 ########################################
 ## <summary>
+## 	Create lock directories
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`files_create_lock_dirs',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+	create_dirs_pattern($1, var_lock_t, var_lock_t)
+')
+
+########################################
+## <summary>
 ##	Add and remove entries in the /var/lock
 ##	directories.
 ## </summary>
@@ -5628,6 +5648,24 @@ interface(`files_rw_lock_dirs',`
 
 ########################################
 ## <summary>
+##	Set the attributes of the generic lock directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_setattr_lock_dirs',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	setattr_dirs_pattern($1, var_t, var_lock_t)
+')
+
+########################################
+## <summary>
 ##	Relabel to and from all lock directory types.
 ## </summary>
 ## <param name="domain">
@@ -6016,6 +6054,29 @@ interface(`files_pid_filetrans',`
 
 ########################################
 ## <summary>
+## 	Create a generic lock directory within the run directories
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`files_pid_filetrans_lock_dir',`
+	gen_require(`
+		type var_lock_t;
+	')
+
+	files_pid_filetrans($1, var_lock_t, dir, $2)
+')
+
+########################################
+## <summary>
 ##	Read and write generic process ID files.
 ## </summary>
 ## <param name="domain">
-- 
1.7.8.6



More information about the refpolicy mailing list