Use the init_daemon_run_dir interface in order to allow initrc_t to create the
run dirs of the postgresql service.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Use the init_daemon_run_dir interface in order to allow initrc_t to create the
run dirs of the udev daemon with the proper file transition.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Due to the introduction of /run, many init scripts need to create the daemon run
dirs (such as /run/udev for the udev init script). To simplify this, we
introduce the "daemonrundir" attribute to which initrc_t has the necessary
create_dirs_perms granted. Because it often needs to change the attributes or
ownership of the directories as well, we also grant the setattr rights on the
directory.
Then, when needed, the modules can call this interface while adding the name of
the directory. This will trigger a named file transition when initrc_t creates
this directory:
init_daemon_run_dir(udev_var_run_t, "udev")
will trigger
files_pid_filetrans(initrc_t, udev_var_run_t, dir, "udev")
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Intel® AMT Linux support includes two components that allow interaction
between the Intel® AMT FW and the Linux OS: Intel® MEI (Intel® Management Engine Interface)
driver and LMS (Local Management Service) driver. Intel® MEI driver
allows application to communicate with the FW using host interface,
and LMS driver allows applications to access the Intel® AMT FW via the
local Intel® Management Engine Interface (Intel® MEI).
In addition, Intel has validated a kernel patch to enable
IDE-redirection. This is a community maintained patch, but Intel is
distributing the version used in the validation of the other Intel® AMT
components released here:
http://software.intel.com/en-us/articles/download-the-latest-intel-amt-open-source-drivers/
Declare a mei_device_t device node tyoe and label /dev/mei accordingly.
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
This directory contains the working files for updating network-related files
(like resolv.conf for name servers) before they are copied to the fixed
location. Although already in use previously, this location (/var/run/dhcpc or
/var/run/dhcpcd) was statically defined on the system.
With the introduction of /run and systems having /var/run -> /run, this is now a
dynamically created directory by dhcpc_t. Hence, the policy is enhanced allowing
dhcpc_t to create dhcpc_var_run_t directories, and include a file transition for
directories created in the var_run_t location(s).
Changes since v1
----------------
- Use create_dirs_pattern instead of manage_dirs_pattern
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Introduce the substitutions for the /usr/local/lib* locations (towards /usr/lib)
and /etc/init.d (towards /etc/rc.d/init.d).
Update the file contexts of the translated locations.
Rebased (collided with Guido's patch for commenting within the
file_contexts.subs_dist file) since v3.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Add a comment at the top of the configuration file file_contexts.subs_dist
to clarify that it performs aliasing and not substitutions in the
strict sense of the word.
A name change might be considered too, if it proves to lead to further
confusion.
There might be pieces of documentation that could benefit from similar
considerations.
Also note that a specific manual page is missing.
Recent udev installs its main binary in /usr/lib/systemd (called systemd-udevd).
Update file contexts to support this.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
With udev now using /run for its data, the init script responsible for preparing
the environment to start up udev needs to be able to setup this location as
well.
We here allow init scripts to create the /run/udev location (transitioning to
udev_var_run_t) and manage this content (creating the /run/udev subdirectories).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Recent udev implementations now use /run (actually, /run/udev) for storing
database files, rules and more. Hence, we need to extend existing interfaces to
support searching through the udev_var_run_t location (as most of that was
previously only in device_t and/or etc_t or udev_etc_t)
Next to enhancing the interfaces, we provide additional ones that will be used
by the init script (for udev) which needs to create and support the new
/run/udev locations.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
At boot up, the /run location is empty, and init scripts are responsible for
creating the necessary structure within to support their services. This means,
adding entries like for the lock folder (/run/lock).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Since most distributions now support /run (which, thanks the the
file context substitutions, is marked as var_run_t), we need to update the
SELinux policies to support "dynamically" building up /run. Unlike /var/run,
which is most likely statically defined during distribution installation, /run
is a tmpfs which is built up from scratch on each and every boot.
But not only that, many services also use this location for other purposes than
just PID files (which is to be expected as these "other reasons" is why /run
came to be in the first place), so we need to support other types within this
location easily.
For this reason, we introduce support to
- creating the /run/lock location
- supporting named file transitions when init scripts create stuff in /run
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Recent init script packages allow for logging init script progress (service
start/stop state information, sometimes even duration, etc.) so we introduce an
initrc_var_log_t logtype and allow initrc_t to manage this.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Allow mount to write not only to /etc/mtab but also to the /etc/mtab~[0-9]\{0,20\}
lock files (the number corresponds to the PID). Such files are still mistakenly
being labelled as etc_t instead of etc_runtime_t (thus preventing the successful
completion of the write operation and the accumulation of unremovable stale lock
files over several operation attempts as in normal system reboots, for example).
Do the same with the standard mount temporary file /etc/mtab.tmp.
The above refers to mount from util-linux-2.21.2 from kernel.org. See mount -vvv
for the location of such files.
This patch includes the necessary refactoring to support python 3.
Changes since v2
- Do not include contrib submodule (no relevant changes there)
- Update in pyplate to fix a failure with str/unicode in doc generation
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
* fix bugs in MLS/MCS
* add connection pooling server support
* foreign data wrapper support
* Add temporary objects support
* redefinition of use permission onto system objects
Chris PeBenito
Guido Trentalancia
Sven Vermeulen
Dominick Grift