Supporting interfaces for the /run changes

Since most distributions now support /run (which, thanks the the file context substitutions, is marked as var_run_t), we need to update the SELinux policies to support "dynamically" building up /run. Unlike /var/run, which is most likely statically defined during distribution installation, /run is a tmpfs which is built up from scratch on each and every boot. But not only that, many services also use this location for other purposes than just PID files (which is to be expected as these "other reasons" is why /run came to be in the first place), so we need to support other types within this location easily. For this reason, we introduce support to - creating the /run/lock location - supporting named file transitions when init scripts create stuff in /run Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2025-03-21 18:46:34 +00:00 · 2012-07-12 21:24:42 +02:00 · 2012-07-12 21:24:42 +02:00 · 765e7b71ee
commit 765e7b71ee
parent ec3995c576
1 changed files with 61 additions and 0 deletions
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@ -5606,6 +5606,26 @@ interface(`files_list_locks',`
 	list_dirs_pattern($1, var_t, var_lock_t)
 ')

+########################################
+## <summary>
+## 	Create lock directories
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`files_create_lock_dirs',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+	create_dirs_pattern($1, var_lock_t, var_lock_t)
+')
+
 ########################################
 ## <summary>
 ##	Add and remove entries in the /var/lock
@ -5626,6 +5646,24 @@ interface(`files_rw_lock_dirs',`
 	rw_dirs_pattern($1, var_t, var_lock_t)
 ')

+########################################
+## <summary>
+##	Set the attributes of the generic lock directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_setattr_lock_dirs',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	setattr_dirs_pattern($1, var_t, var_lock_t)
+')
+
 ########################################
 ## <summary>
 ##	Relabel to and from all lock directory types.
@ -6014,6 +6052,29 @@ interface(`files_pid_filetrans',`
 	filetrans_pattern($1, var_run_t, $2, $3, $4)
 ')

+########################################
+## <summary>
+## 	Create a generic lock directory within the run directories
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`files_pid_filetrans_lock_dir',`
+	gen_require(`
+		type var_lock_t;
+	')
+
+	files_pid_filetrans($1, var_lock_t, dir, $2)
+')
+
 ########################################
 ## <summary>
 ##	Read and write generic process ID files.