On Tue, 30 Nov 2010 16:10:20 -0500 (EST) Paul Wouters <paul@xxxxxxxxxxxxx> wrote: > On Tue, 30 Nov 2010, Tomasz Torcz wrote: > > >> I would really like to avoid having THREE places to create > >> directories in /var/run and /var/lock, those being spec file, init > >> scripts AND tmpfiles.d > > > > Scratch the initscript. This would mean initscript would need to > > contain multiple > > ExecStartPre=/sbin/mkdir --mode=777 /var/run/xx; /bin/chown > > x.x /var/run/xx; /sbin/restorecon /var/run/xx lines, which look > > unwieldy. > > why not > > mkdir -p /var/run/xx > > or: > > [ ! -d /var/run/xx ] && mkdir -p /var/run/xx > > Can't selinux pickup things without a restorecon? And what is the > problem another (root) process screwing over a pid or lock file? > Can't SElinux lock that down from the /var/run level? /var/run is var_run_t in targeted policy, but hardly anything below /var/run is - almost every subdir/file has its own context type. Just creating a file/directory within /var/run using the initscript will inherit the var_run_t, which in most cases is not what's needed, hence the need for restorecon. Having the daemon create the file/dir works better because there will be a type transition defined in policy that results in the correct context type being used. Paul. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
