* [refpolicy] [PATCH v2 0/3] Using init_daemon_pid_file
@ 2014-06-25 19:52 Sven Vermeulen
2014-06-25 19:53 ` [refpolicy] [PATCH v2 1/3] Support initrc_t generated pid files with file transition Sven Vermeulen
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Sven Vermeulen @ 2014-06-25 19:52 UTC (permalink / raw)
To: refpolicy
This patchset introduces the init_daemon_pid_file interface, deprecates init_daemon_run_dir and updates the non-contrib modules to use the new init_daemon_pid_file interface.
Changes since v1:
- Do not remove old attribute yet, keep it for backwards compatibility
Sven Vermeulen (3):
Support initrc_t generated pid files with file transition
Deprecate init_daemon_run_dir interface
Use init_daemon_pid_file instead of init_daemon_run_dir
policy/modules/services/postgresql.te | 2 +-
policy/modules/services/ssh.te | 2 +-
policy/modules/system/init.if | 38 ++++++++++++++++++++++++++++++++---
policy/modules/system/init.te | 8 ++++++++
policy/modules/system/setrans.te | 2 +-
policy/modules/system/sysnetwork.te | 2 +-
policy/modules/system/udev.te | 2 +-
7 files changed, 48 insertions(+), 8 deletions(-)
--
1.8.5.5
^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH v2 1/3] Support initrc_t generated pid files with file transition
2014-06-25 19:52 [refpolicy] [PATCH v2 0/3] Using init_daemon_pid_file Sven Vermeulen
@ 2014-06-25 19:53 ` Sven Vermeulen
2014-06-25 19:53 ` [refpolicy] [PATCH v2 2/3] Deprecate init_daemon_run_dir interface Sven Vermeulen
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Sven Vermeulen @ 2014-06-25 19:53 UTC (permalink / raw)
To: refpolicy
For some daemons, it is the init script that is responsible for creating
the PID file of the daemon. As we do not want to update the init SELinux
policy module for each of these situations, we need to introduce an
interface that can be called by the SELinux policy module of the caller
(the daemon domain).
The initial suggestion was to transform the init_daemon_run_dir
interface, which offers a similar approach for directories in /run, into
a class-agnostic interface. Several names have been suggested, such as
init_script_spec_run_content or init_script_generic_run_filetrans_spec,
but in the end init_daemon_pid_file was used.
The interface requires the class(es) on which the file transition should
occur, like so:
init_daemon_pid_file(xdm_var_run_t, dir, "xdm")
init_daemon_pid_file(postgresql_var_run_t, file, "postgresql.pid")
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/system/init.if | 33 +++++++++++++++++++++++++++++++++
policy/modules/system/init.te | 6 ++++++
2 files changed, 39 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 4c66daf..a168713 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -412,6 +412,39 @@ interface(`init_ranged_system_domain',`
########################################
## <summary>
+## Mark the file type as a daemon pid file, allowing initrc_t
+## to create it
+## </summary>
+## <param name="filetype">
+## <summary>
+## Type to mark as a daemon pid file
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## Class on which the type is applied
+## </summary>
+## </param>
+## <param name="filename">
+## <summary>
+## Filename of the file that the init script creates
+## </summary>
+## </param>
+#
+interface(`init_daemon_pid_file',`
+ gen_require(`
+ attribute daemonpidfile;
+ type initrc_t;
+ ')
+
+ typeattribute $1 daemonpidfile;
+
+ files_pid_file($1)
+ files_pid_filetrans(initrc_t, $1, $2, $3)
+')
+
+########################################
+## <summary>
## Mark the file type as a daemon run dir, allowing initrc_t
## to create it
## </summary>
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 5dc9bfd..17ecd36 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -23,6 +23,8 @@ attribute init_run_all_scripts_domain;
# Mark process types as daemons
attribute daemon;
+# Mark file type as a daemon pid file
+attribute daemonpidfile;
# Mark file type as a daemon run directory
attribute daemonrundir;
@@ -251,6 +253,10 @@ init_telinit(initrc_t)
can_exec(initrc_t, init_script_file_type)
+create_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile)
+manage_files_pattern(initrc_t, daemonpidfile, daemonpidfile)
+setattr_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile)
+
create_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
setattr_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
--
1.8.5.5
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH v2 2/3] Deprecate init_daemon_run_dir interface
2014-06-25 19:52 [refpolicy] [PATCH v2 0/3] Using init_daemon_pid_file Sven Vermeulen
2014-06-25 19:53 ` [refpolicy] [PATCH v2 1/3] Support initrc_t generated pid files with file transition Sven Vermeulen
@ 2014-06-25 19:53 ` Sven Vermeulen
2014-06-25 19:53 ` [refpolicy] [PATCH v2 3/3] Use init_daemon_pid_file instead of init_daemon_run_dir Sven Vermeulen
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Sven Vermeulen @ 2014-06-25 19:53 UTC (permalink / raw)
To: refpolicy
With init_daemon_pid_file supporting class parameters, all calls to
init_daemon_run_dir can now be transformed into init_daemon_pid_file
calls.
Update the init_daemon_run_dir interface so it gives a warning when
used, and use the init_daemon_pid_file interface underlyingly.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/system/init.if | 5 ++---
policy/modules/system/init.te | 2 ++
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index a168713..15483b0 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -465,9 +465,8 @@ interface(`init_daemon_run_dir',`
type initrc_t;
')
- typeattribute $1 daemonrundir;
-
- files_pid_filetrans(initrc_t, $1, dir, $2)
+ refpolicywarn(`$0($*) has been deprecated, use init_daemon_pid_file() instead.')
+ init_daemon_pid_file($1, dir, $2)
')
########################################
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 17ecd36..7414ca4 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -26,6 +26,7 @@ attribute daemon;
# Mark file type as a daemon pid file
attribute daemonpidfile;
# Mark file type as a daemon run directory
+# TODO - this attribute is deprecated and kept for a short while for compatibility
attribute daemonrundir;
#
@@ -257,6 +258,7 @@ create_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile)
manage_files_pattern(initrc_t, daemonpidfile, daemonpidfile)
setattr_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile)
+# TODO - this is deprecated supported for a short while for backwards compatibility
create_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
setattr_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
--
1.8.5.5
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH v2 3/3] Use init_daemon_pid_file instead of init_daemon_run_dir
2014-06-25 19:52 [refpolicy] [PATCH v2 0/3] Using init_daemon_pid_file Sven Vermeulen
2014-06-25 19:53 ` [refpolicy] [PATCH v2 1/3] Support initrc_t generated pid files with file transition Sven Vermeulen
2014-06-25 19:53 ` [refpolicy] [PATCH v2 2/3] Deprecate init_daemon_run_dir interface Sven Vermeulen
@ 2014-06-25 19:53 ` Sven Vermeulen
2014-06-26 12:38 ` [refpolicy] [PATCH v2 0/3] Using init_daemon_pid_file Christopher J. PeBenito
2014-06-30 18:37 ` Christopher J. PeBenito
4 siblings, 0 replies; 6+ messages in thread
From: Sven Vermeulen @ 2014-06-25 19:53 UTC (permalink / raw)
To: refpolicy
Update non-contrib modules to use init_daemon_pid_file instead of
init_daemon_run_dir.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/services/postgresql.te | 2 +-
policy/modules/services/ssh.te | 2 +-
policy/modules/system/setrans.te | 2 +-
policy/modules/system/sysnetwork.te | 2 +-
policy/modules/system/udev.te | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index c771377..c38bb46 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -63,7 +63,7 @@ files_tmp_file(postgresql_tmp_t)
type postgresql_var_run_t;
files_pid_file(postgresql_var_run_t)
-init_daemon_run_dir(postgresql_var_run_t, "postgresql")
+init_daemon_pid_file(postgresql_var_run_t, dir, "postgresql")
# database clients attribute
attribute sepgsql_admin_type;
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 536a2d9..43b9cc1 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -85,7 +85,7 @@ type sshd_keytab_t;
files_type(sshd_keytab_t)
ifdef(`distro_debian',`
- init_daemon_run_dir(sshd_var_run_t, "sshd")
+ init_daemon_pid_file(sshd_var_run_t, dir, "sshd")
')
##############################
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index a840e70..057456c 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -21,7 +21,7 @@ files_pid_file(setrans_var_run_t)
mls_trusted_object(setrans_var_run_t)
ifdef(`distro_debian',`
- init_daemon_run_dir(setrans_var_run_t, "setrans")
+ init_daemon_pid_file(setrans_var_run_t, dir, "setrans")
')
ifdef(`enable_mcs',`
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 4b6a520..9bd538b 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -40,7 +40,7 @@ type net_conf_t alias resolv_conf_t;
files_type(net_conf_t)
ifdef(`distro_debian',`
- init_daemon_run_dir(net_conf_t, "network")
+ init_daemon_pid_file(net_conf_t, dir, "network")
')
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index f4545f5..d3d5509 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -25,7 +25,7 @@ files_type(udev_rules_t)
type udev_var_run_t;
files_pid_file(udev_var_run_t)
-init_daemon_run_dir(udev_var_run_t, "udev")
+init_daemon_pid_file(udev_var_run_t, dir, "udev")
ifdef(`enable_mcs',`
kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
--
1.8.5.5
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH v2 0/3] Using init_daemon_pid_file
2014-06-25 19:52 [refpolicy] [PATCH v2 0/3] Using init_daemon_pid_file Sven Vermeulen
` (2 preceding siblings ...)
2014-06-25 19:53 ` [refpolicy] [PATCH v2 3/3] Use init_daemon_pid_file instead of init_daemon_run_dir Sven Vermeulen
@ 2014-06-26 12:38 ` Christopher J. PeBenito
2014-06-30 18:37 ` Christopher J. PeBenito
4 siblings, 0 replies; 6+ messages in thread
From: Christopher J. PeBenito @ 2014-06-26 12:38 UTC (permalink / raw)
To: refpolicy
On 6/25/2014 3:52 PM, Sven Vermeulen wrote:
> This patchset introduces the init_daemon_pid_file interface, deprecates init_daemon_run_dir and updates the non-contrib modules to use the new init_daemon_pid_file interface.
This set can be merged, but I need the patch(es) for contrib too.
> Changes since v1:
> - Do not remove old attribute yet, keep it for backwards compatibility
>
> Sven Vermeulen (3):
> Support initrc_t generated pid files with file transition
> Deprecate init_daemon_run_dir interface
> Use init_daemon_pid_file instead of init_daemon_run_dir
>
> policy/modules/services/postgresql.te | 2 +-
> policy/modules/services/ssh.te | 2 +-
> policy/modules/system/init.if | 38 ++++++++++++++++++++++++++++++++---
> policy/modules/system/init.te | 8 ++++++++
> policy/modules/system/setrans.te | 2 +-
> policy/modules/system/sysnetwork.te | 2 +-
> policy/modules/system/udev.te | 2 +-
> 7 files changed, 48 insertions(+), 8 deletions(-)
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH v2 0/3] Using init_daemon_pid_file
2014-06-25 19:52 [refpolicy] [PATCH v2 0/3] Using init_daemon_pid_file Sven Vermeulen
` (3 preceding siblings ...)
2014-06-26 12:38 ` [refpolicy] [PATCH v2 0/3] Using init_daemon_pid_file Christopher J. PeBenito
@ 2014-06-30 18:37 ` Christopher J. PeBenito
4 siblings, 0 replies; 6+ messages in thread
From: Christopher J. PeBenito @ 2014-06-30 18:37 UTC (permalink / raw)
To: refpolicy
On 6/25/2014 3:52 PM, Sven Vermeulen wrote:
> This patchset introduces the init_daemon_pid_file interface, deprecates init_daemon_run_dir and updates the non-contrib modules to use the new init_daemon_pid_file interface.
>
> Changes since v1:
> - Do not remove old attribute yet, keep it for backwards compatibility
>
> Sven Vermeulen (3):
> Support initrc_t generated pid files with file transition
> Deprecate init_daemon_run_dir interface
> Use init_daemon_pid_file instead of init_daemon_run_dir
This set is merged.
> policy/modules/services/postgresql.te | 2 +-
> policy/modules/services/ssh.te | 2 +-
> policy/modules/system/init.if | 38 ++++++++++++++++++++++++++++++++---
> policy/modules/system/init.te | 8 ++++++++
> policy/modules/system/setrans.te | 2 +-
> policy/modules/system/sysnetwork.te | 2 +-
> policy/modules/system/udev.te | 2 +-
> 7 files changed, 48 insertions(+), 8 deletions(-)
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2014-06-30 18:37 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-06-25 19:52 [refpolicy] [PATCH v2 0/3] Using init_daemon_pid_file Sven Vermeulen
2014-06-25 19:53 ` [refpolicy] [PATCH v2 1/3] Support initrc_t generated pid files with file transition Sven Vermeulen
2014-06-25 19:53 ` [refpolicy] [PATCH v2 2/3] Deprecate init_daemon_run_dir interface Sven Vermeulen
2014-06-25 19:53 ` [refpolicy] [PATCH v2 3/3] Use init_daemon_pid_file instead of init_daemon_run_dir Sven Vermeulen
2014-06-26 12:38 ` [refpolicy] [PATCH v2 0/3] Using init_daemon_pid_file Christopher J. PeBenito
2014-06-30 18:37 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.