LinuxLists.cc - [refpolicy] [PATCH 1/1] Add status into init_startstop

2017-09-13 20:26:57

Subject: [refpolicy] [PATCH 1/1] Add status into init_startstop_service interface

Alter interface init_startstop_service to also allow for the status permission. systemctl start <foo> and systemctl stop <foo> work correctly. But systemctl restart <foo> will fail as restart uses status to determine the action to take.

This interface is used by many other modules (like iptables, logging, apache, cron, etc... - see 'admin' interface). This allows restart to work for all these services.

Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/init.if | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 59d9f1f0..09a20311 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1703,10 +1703,10 @@ interface(`init_startstop_service',`
# all callers are updated to provide unit files.
ifelse(`$5',`',`',`
gen_require(`
- class service { start stop };
+ class service { start status stop };
')

- allow $1 $5:service { start stop };
+ allow $1 $5:service { start status stop };
')
')
')
--
2.13.5

2017-09-13 22:53:01

by Chris PeBenito

[permalink] [raw]

Subject: [refpolicy] [PATCH 1/1] Add status into init_startstop_service interface

On 09/13/2017 04:26 PM, David Sugar via refpolicy wrote:
> Alter interface init_startstop_service to also allow for the status permission. systemctl start <foo> and systemctl stop <foo> work correctly. But systemctl restart <foo> will fail as restart uses status to determine the action to take.
>
> This interface is used by many other modules (like iptables, logging, apache, cron, etc... - see 'admin' interface). This allows restart to work for all these services.
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/system/init.if | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 59d9f1f0..09a20311 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -1703,10 +1703,10 @@ interface(`init_startstop_service',`
> # all callers are updated to provide unit files.
> ifelse(`$5',`',`',`
> gen_require(`
> - class service { start stop };
> + class service { start status stop };
> ')
>
> - allow $1 $5:service { start stop };
> + allow $1 $5:service { start status stop };
> ')
> ')
> ')

I believe I have rejected this change before, but I don't recall someone
saying that it breaks the restart command without the status permission.
Because of this issue, I've merged this change.

--
Chris PeBenito