[refpolicy] [PATCH 0/2] More /run changes

[refpolicy] [PATCH 0/2] More /run changes

[Sven Vermeulen]

This set contains a few more /run changes:
- dhcpc creates /run/dhcpc (through scripts in the dhcpcd-hooks)
- dbus' init script creates /run/dbus
- mysql' init script creates /run/mysqld

It will be submitted separately: first the changes to the contrib modules,
followed by the changes to the core policy modules.

Sven Vermeulen (2):
  Introducing interfaces for /run transitioning
  Introduce interfaces for mysql /run support

 dbus.if  |   47 +++++++++++++++++++++++++++++++++++++++++++++++
 mysql.if |   47 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 94 insertions(+), 0 deletions(-)

-- 
1.7.8.6

[refpolicy] [PATCH 1/2] Introducing interfaces for /run transitioning

[Sven Vermeulen]

To allow the dbus init scripts to, when they create the /run/dbus directory,
automatically transition towards the system_dbusd_var_run_t label, we need to
introduce two interfaces: one for the transitioning itself, and one to allow the
init script to create directories of system_dbusd_var_run_t type.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 dbus.if |   47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 47 insertions(+), 0 deletions(-)

diff --git a/dbus.if b/dbus.if
index fb4bf82..b0322b5 100644
--- a/dbus.if
+++ b/dbus.if
@@ -485,6 +485,53 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
 
 ########################################
 ## <summary>
+##	Automatically transition towards the system_dbus_var_run_t for resources
+##	created in the generic var_run_t locations.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Classes supported for the transitioning
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	Optional file name used for the resources
+##	</summary>
+## </param>
+#
+interface(`dbus_generic_pid_filetrans_system_dbusd_run',`
+	gen_require(`
+		type system_dbusd_var_run_t;
+	')
+
+	files_pid_filetrans($1, system_dbusd_var_run_t, $2, $3)
+')
+
+##########################################
+## <summary>
+##	Create directories with the system_dbusd_var_run_t label
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`dbus_create_system_dbusd_run_dirs',`
+	gen_require(`
+		type system_dbusd_var_run_t;
+	')
+
+	create_dirs_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+')
+
+########################################
+## <summary>
 ##	Allow unconfined access to the system DBUS.
 ## </summary>
 ## <param name="domain">
-- 
1.7.8.6

[refpolicy] [PATCH 2/2] Introduce interfaces for mysql /run support

[Sven Vermeulen]

To allow the mysql init scripts to create /run/mysqld, we need to include two
interfaces from mysql: one to support the file transition towards
mysqld_var_run_t, and one to allow the init scripts to create
mysqld_var_run_t-labeled directories

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 mysql.if |   47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 47 insertions(+), 0 deletions(-)

diff --git a/mysql.if b/mysql.if
index e9c0982..4346735 100644
--- a/mysql.if
+++ b/mysql.if
@@ -311,6 +311,53 @@ interface(`mysql_search_pid_files',`
 	search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
 ')
 
+#######################################
+## <summary>
+##	Automatically use the MySQL run label for created resources in the
+##	generic run location(s).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to have automatic transitioning
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Resource class for which an automatic transition should occur
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	The name of the resource being created
+##	</summary>
+## </param>
+#
+interface(`mysql_generic_run_filetrans_pid',`
+	gen_require(`
+		type mysqld_var_run_t;
+	')
+
+	files_pid_filetrans($1, mysqld_var_run_t, $2, $3)
+')
+
+#######################################
+## <summary>
+##	Create MySQLd run directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`mysql_create_run_dirs',`
+	gen_require(`
+		type mysqld_var_run_t;
+	')
+
+	create_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to administrate an mysql environment
-- 
1.7.8.6