That makes sense, thanks. So, I take this would be the approach: - Create a single policy with multiple domains -- Create separate domains for each daemon + domain for shared resources -- Transition between them where needed If the structure is: /opt/myapp/bin/daemon1 (daemon1_exec_t) /opt/myapp/bin/daemon2 (daemon2_exec_t) /opt/myapp/bin/start_all - (start script for both daemon1 and daemon2) (myapp_initrc_exec_t) /opt/myapp/all_shared_resources (myapp_t) /etc/init.d/sym_link_to_start_all (sym link to /opt/myapp/bin/start_all) Can I have: type myapp_initrc_exec_t; init_script_file(myapp_initrc_exec_t) for daemon1: init_daemon_domain(daemon1_t, daemon1_exec_t) for daemon2: init_daemon_domain(daemon2_t, daemon2_exec_t) ... On Wed, 2014-05-14 at 12:31 -0400, Stephen Smalley wrote: > On 05/14/2014 12:04 PM, Mladen Sekara wrote: > > What would be the best approach to attack this: > > > > One application, multiple components/daemons. > > Some files are specific to a daemon, some are shared between them (eg. > > log files are unique, some config files, keystores... are shared etc.) > > > > All daemons start from a single init script and I am not allowed to > > change it. > > > > Options: > > > > 1. Create policy for each component and then domain transition between > > them (what about shared files???) > > 2. Create a single policy for multiple daemons? > > > > Any advice... > > Given that there are some resources private to each daemon and the > daemons may have different permission requirements, I'd suggest creating > a separate domain per daemon and just defining a set of shared types for > the shared resources. You can define them all in a single policy > module; there is no requirement that there only be a single domain in > each policy module. > > If you then find that some of the domains are almost identical, you can > coalesce them. But you likely won't know that a priori and it is easier > to coalesce domains/types than to split them. > > _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
