From dc663fe40ad53b14403d8e4c7f66eaab8b311d13 Mon Sep 17 00:00:00 2001
From: Sven Vermeulen <sven.vermeulen@siphos.be>
Date: Sat, 25 Aug 2012 20:25:06 +0200
Subject: [PATCH] Introduce init_daemon_run_dir transformation

Due to the introduction of /run, many init scripts need to create the daemon run
dirs (such as /run/udev for the udev init script). To simplify this, we
introduce the "daemonrundir" attribute to which initrc_t has the necessary
create_dirs_perms granted. Because it often needs to change the attributes or
ownership of the directories as well, we also grant the setattr rights on the
directory.

Then, when needed, the modules can call this interface while adding the name of
the directory. This will trigger a named file transition when initrc_t creates
this directory:
  init_daemon_run_dir(udev_var_run_t, "udev")
will trigger
  files_pid_filetrans(initrc_t, udev_var_run_t, dir, "udev")

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/init.if | 27 +++++++++++++++++++++++++++
 policy/modules/system/init.te |  6 ++++++
 2 files changed, 33 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index d26fe81c2..3f0c2d34d 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -415,6 +415,33 @@ interface(`init_ranged_system_domain',`
 	')
 ')
 
+########################################
+## <summary>
+##	Mark the file type as a daemon run dir, allowing initrc_t
+##	to create it
+## </summary>
+## <param name="filetype">
+##	<summary>
+##	Type to mark as a daemon run dir
+##	</summary>
+## </param>
+## <param name="filename">
+##	<summary>
+##	Filename of the directory that the init script creates
+##	</summary>
+## </param>
+#
+interface(`init_daemon_run_dir',`
+	gen_require(`
+		attribute daemonrundir;
+		type initrc_t;
+	')
+
+	typeattribute $1 daemonrundir;
+
+	files_pid_filetrans(initrc_t, $1, dir, $2)
+')
+
 ########################################
 ## <summary>
 ##	Execute init (/sbin/init) with a domain transition.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index f3c70ffab..933f8461a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -29,6 +29,9 @@ attribute init_run_all_scripts_domain;
 # Mark process types as daemons
 attribute daemon;
 
+# Mark file type as a daemon run directory
+attribute daemonrundir;
+
 #
 # init_t is the domain of the init process.
 #
@@ -242,6 +245,9 @@ init_telinit(initrc_t)
 
 can_exec(initrc_t, init_script_file_type)
 
+create_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
+setattr_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
+
 domtrans_pattern(init_run_all_scripts_domain, initrc_exec_t, initrc_t)
 
 manage_dirs_pattern(initrc_t, initrc_state_t, initrc_state_t)