The /var/cfengine/output location will be labeled in the forthcoming
cfengine policy module that will be ported from Fedora
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
The courier-imap and courier-pop3 daemons are started by sourcing their
configuration files, and then invoking the daemons using the proper options. If
this is done through a specialized script, then init only needs to call this
script (where a proper transition occurs) but if the init script itself does
this, it needs to be able to read the configuration files.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The Gentoo-specific runscripts in /sbin should not be marked as initrc_exec_t
anymore (just bin_t).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
If the /var/lib/syslog directory does not exist, then syslog-ng (running in
syslogd_t) will attempt to create the directory.
Allow the syslogd_t domain to create the directory, and use an automatic file
transition towards syslogd_var_lib_t.
Also, the syslog-ng daemon uses a persistence file in
/var/lib/misc/syslog-ng.persist (and .persist- if it suspects a collision). As
/var/lib/misc is still a generic var_lib_t, we have the syslogd_t daemon write
its files as syslogd_var_lib_t therein.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Puppet calls mount to obtain the list of mounted file systems, redirecting its
output to a temporary file (labeled puppet_tmp_t). This allows the mount domain
to write to this resource.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Use the init_daemon_run_dir interface in order to allow initrc_t to create the
run dirs of the postgresql service.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Use the init_daemon_run_dir interface in order to allow initrc_t to create the
run dirs of the udev daemon with the proper file transition.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Due to the introduction of /run, many init scripts need to create the daemon run
dirs (such as /run/udev for the udev init script). To simplify this, we
introduce the "daemonrundir" attribute to which initrc_t has the necessary
create_dirs_perms granted. Because it often needs to change the attributes or
ownership of the directories as well, we also grant the setattr rights on the
directory.
Then, when needed, the modules can call this interface while adding the name of
the directory. This will trigger a named file transition when initrc_t creates
this directory:
init_daemon_run_dir(udev_var_run_t, "udev")
will trigger
files_pid_filetrans(initrc_t, udev_var_run_t, dir, "udev")
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Intel® AMT Linux support includes two components that allow interaction
between the Intel® AMT FW and the Linux OS: Intel® MEI (Intel® Management Engine Interface)
driver and LMS (Local Management Service) driver. Intel® MEI driver
allows application to communicate with the FW using host interface,
and LMS driver allows applications to access the Intel® AMT FW via the
local Intel® Management Engine Interface (Intel® MEI).
In addition, Intel has validated a kernel patch to enable
IDE-redirection. This is a community maintained patch, but Intel is
distributing the version used in the validation of the other Intel® AMT
components released here:
http://software.intel.com/en-us/articles/download-the-latest-intel-amt-open-source-drivers/
Declare a mei_device_t device node tyoe and label /dev/mei accordingly.
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
This directory contains the working files for updating network-related files
(like resolv.conf for name servers) before they are copied to the fixed
location. Although already in use previously, this location (/var/run/dhcpc or
/var/run/dhcpcd) was statically defined on the system.
With the introduction of /run and systems having /var/run -> /run, this is now a
dynamically created directory by dhcpc_t. Hence, the policy is enhanced allowing
dhcpc_t to create dhcpc_var_run_t directories, and include a file transition for
directories created in the var_run_t location(s).
Changes since v1
----------------
- Use create_dirs_pattern instead of manage_dirs_pattern
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Introduce the substitutions for the /usr/local/lib* locations (towards /usr/lib)
and /etc/init.d (towards /etc/rc.d/init.d).
Update the file contexts of the translated locations.
Rebased (collided with Guido's patch for commenting within the
file_contexts.subs_dist file) since v3.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Add a comment at the top of the configuration file file_contexts.subs_dist
to clarify that it performs aliasing and not substitutions in the
strict sense of the word.
A name change might be considered too, if it proves to lead to further
confusion.
There might be pieces of documentation that could benefit from similar
considerations.
Also note that a specific manual page is missing.
Recent udev installs its main binary in /usr/lib/systemd (called systemd-udevd).
Update file contexts to support this.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Dominick Grift
Chris PeBenito
Laurent Bigonville
Sven Vermeulen
Guido Trentalancia