Support initrc_t generated pid files with file transition
For some daemons, it is the init script that is responsible for creating the PID file of the daemon. As we do not want to update the init SELinux policy module for each of these situations, we need to introduce an interface that can be called by the SELinux policy module of the caller (the daemon domain). The initial suggestion was to transform the init_daemon_run_dir interface, which offers a similar approach for directories in /run, into a class-agnostic interface. Several names have been suggested, such as init_script_spec_run_content or init_script_generic_run_filetrans_spec, but in the end init_daemon_pid_file was used. The interface requires the class(es) on which the file transition should occur, like so: init_daemon_pid_file(xdm_var_run_t, dir, "xdm") init_daemon_pid_file(postgresql_var_run_t, file, "postgresql.pid") Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
This commit is contained in:
Sven Vermeulen
Chris PeBenito
parent
89fa50f67a
commit
d64826b606
|
|
@ -410,6 +410,39 @@ interface(`init_ranged_system_domain',`
|
|||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mark the file type as a daemon pid file, allowing initrc_t
|
||||
## to create it
|
||||
## </summary>
|
||||
## <param name="filetype">
|
||||
## <summary>
|
||||
## Type to mark as a daemon pid file
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="class">
|
||||
## <summary>
|
||||
## Class on which the type is applied
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="filename">
|
||||
## <summary>
|
||||
## Filename of the file that the init script creates
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_daemon_pid_file',`
|
||||
gen_require(`
|
||||
attribute daemonpidfile;
|
||||
type initrc_t;
|
||||
')
|
||||
|
||||
typeattribute $1 daemonpidfile;
|
||||
|
||||
files_pid_file($1)
|
||||
files_pid_filetrans(initrc_t, $1, $2, $3)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mark the file type as a daemon run dir, allowing initrc_t
|
||||
|
|
|
|||
|
|
@ -23,6 +23,8 @@ attribute init_run_all_scripts_domain;
|
|||
# Mark process types as daemons
|
||||
attribute daemon;
|
||||
|
||||
# Mark file type as a daemon pid file
|
||||
attribute daemonpidfile;
|
||||
# Mark file type as a daemon run directory
|
||||
attribute daemonrundir;
|
||||
|
||||
|
|
@ -251,6 +253,10 @@ init_telinit(initrc_t)
|
|||
|
||||
can_exec(initrc_t, init_script_file_type)
|
||||
|
||||
create_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile)
|
||||
manage_files_pattern(initrc_t, daemonpidfile, daemonpidfile)
|
||||
setattr_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile)
|
||||
|
||||
create_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
|
||||
setattr_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue