This is to be used where a role needs to start and stop a service. It
centralizes all the rules for redhat < 6 sysvinit that were used in the
_admin interfaces. The rules for other inits will be added later.
---
policy/modules/system/init.if | 40 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 0e7eaec..7938735 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -963,6 +963,46 @@ interface(`init_all_labeled_script_domtrans',`
########################################
## <summary>
+## Allow the role to start and stop
+## labeled services.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be performing this action.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Type to be used as a daemon domain.
+## </summary>
+## </param>
+## <param name="init_script_file">
+## <summary>
+## Labeled init script file.
+## </summary>
+## </param>
+#
+interface(`init_manage_service_template',`
+ gen_require(`
+ role system_r;
+ ')
+
+ ifndef(`direct_sysadm_daemon',`
+ # rules for sysvinit / upstart
+ init_labeled_script_domtrans($1, $4)
+ domain_system_change_exemption($1)
+ role_transition $2 $4 system_r;
+ allow $2 system_r;
+ ')
+')
+
+########################################
+## <summary>
## Start and stop daemon programs directly.
## </summary>
## <desc>
--
2.3.6
On 5/14/2015 6:28 PM, Jason Zaman wrote:
> This is to be used where a role needs to start and stop a service. It
> centralizes all the rules for redhat < 6 sysvinit that were used in the
> _admin interfaces. The rules for other inits will be added later.
I'm ok with this set, though I'm trying to decide if this is the right
name for this template. I'm not sure if we should overload "manage"
since it already is create/read/write/delete on files, dirs, etc.
> ---
> policy/modules/system/init.if | 40 ++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 40 insertions(+)
>
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 0e7eaec..7938735 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -963,6 +963,46 @@ interface(`init_all_labeled_script_domtrans',`
>
> ########################################
> ## <summary>
> +## Allow the role to start and stop
> +## labeled services.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## The role to be performing this action.
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## Type to be used as a daemon domain.
> +## </summary>
> +## </param>
> +## <param name="init_script_file">
> +## <summary>
> +## Labeled init script file.
> +## </summary>
> +## </param>
> +#
> +interface(`init_manage_service_template',`
> + gen_require(`
> + role system_r;
> + ')
> +
> + ifndef(`direct_sysadm_daemon',`
> + # rules for sysvinit / upstart
> + init_labeled_script_domtrans($1, $4)
> + domain_system_change_exemption($1)
> + role_transition $2 $4 system_r;
> + allow $2 system_r;
> + ')
> +')
> +
> +########################################
> +## <summary>
> ## Start and stop daemon programs directly.
> ## </summary>
> ## <desc>
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Mon, May 18, 2015 at 08:57:53AM -0400, Christopher J. PeBenito wrote:
> On 5/14/2015 6:28 PM, Jason Zaman wrote:
> > This is to be used where a role needs to start and stop a service. It
> > centralizes all the rules for redhat < 6 sysvinit that were used in the
> > _admin interfaces. The rules for other inits will be added later.
>
> I'm ok with this set, though I'm trying to decide if this is the right
> name for this template. I'm not sure if we should overload "manage"
> since it already is create/read/write/delete on files, dirs, etc.
I would be quite willing to change the name if there is a better one. I
agree "manage" is overloaded. Although "start" doesnt work either since
the template would be for stopping / status / etc as well.
Is there any other verb that is used to in this context we can use
instead?
-- Jason
What about "operate"?
On May 18, 2015 3:22 PM, "Jason Zaman" <[email protected]> wrote:
> On Mon, May 18, 2015 at 08:57:53AM -0400, Christopher J. PeBenito wrote:
> > On 5/14/2015 6:28 PM, Jason Zaman wrote:
> > > This is to be used where a role needs to start and stop a service. It
> > > centralizes all the rules for redhat < 6 sysvinit that were used in the
> > > _admin interfaces. The rules for other inits will be added later.
> >
> > I'm ok with this set, though I'm trying to decide if this is the right
> > name for this template. I'm not sure if we should overload "manage"
> > since it already is create/read/write/delete on files, dirs, etc.
>
> I would be quite willing to change the name if there is a better one. I
> agree "manage" is overloaded. Although "start" doesnt work either since
> the template would be for stopping / status / etc as well.
>
> Is there any other verb that is used to in this context we can use
> instead?
>
> -- Jason
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20150518/a6b55f4a/attachment.html
On Mon, May 18, 2015 at 03:27:48PM +0200, Sven Vermeulen wrote:
> What about "operate"?
or direct, govern, handle. I think operate is a bit better tho since
operator is one of the standard unix accounts.
Chris, do you want me to re-do the patch with any of them in particular
or do you want to search and replace on your end?
-- Jason
> On May 18, 2015 3:22 PM, "Jason Zaman" <[1][email protected]> wrote:
>
> On Mon, May 18, 2015 at 08:57:53AM -0400, Christopher J. PeBenito
> wrote:
> > On 5/14/2015 6:28 PM, Jason Zaman wrote:
> > > This is to be used where a role needs to start and stop a
> service. It
> > > centralizes all the rules for redhat < 6 sysvinit that were used
> in the
> > > _admin interfaces. The rules for other inits will be added
> later.
> >
> > I'm ok with this set, though I'm trying to decide if this is the
> right
> > name for this template.? I'm not sure if we should overload
> "manage"
> > since it already is create/read/write/delete on files, dirs, etc.
> I would be quite willing to change the name if there is a better
> one. I
> agree "manage" is overloaded. Although "start" doesnt work either
> since
> the template would be for stopping / status / etc as well.
> Is there any other verb that is used to in this context we can use
> instead?
> -- Jason
> _______________________________________________
> refpolicy mailing list
> [2]refpolicy at oss.tresys.com
> [3]http://oss.tresys.com/mailman/listinfo/refpolicy
>
> References
>
> 1. mailto:jason at perfinion.com
> 2. mailto:refpolicy at oss.tresys.com
> 3. http://oss.tresys.com/mailman/listinfo/refpolicy
On 5/18/2015 10:11 AM, Jason Zaman wrote:
> On Mon, May 18, 2015 at 03:27:48PM +0200, Sven Vermeulen wrote:
>> What about "operate"?
>
> or direct, govern, handle. I think operate is a bit better tho since
> operator is one of the standard unix accounts.
>
> Chris, do you want me to re-do the patch with any of them in particular
> or do you want to search and replace on your end?
I was thinking about verbs for these interfaces in general, and obvious
ones are:
* start
* stop
* <start and stop: operate, direct, govern, handle?>
Then it occurred to me, why not do something like startstop like we do
sendrecv? It's ugly, but clearly indicates what is happening.
>> On May 18, 2015 3:22 PM, "Jason Zaman" <[1][email protected]> wrote:
>>
>> On Mon, May 18, 2015 at 08:57:53AM -0400, Christopher J. PeBenito
>> wrote:
>> > On 5/14/2015 6:28 PM, Jason Zaman wrote:
>> > > This is to be used where a role needs to start and stop a
>> service. It
>> > > centralizes all the rules for redhat < 6 sysvinit that were used
>> in the
>> > > _admin interfaces. The rules for other inits will be added
>> later.
>> >
>> > I'm ok with this set, though I'm trying to decide if this is the
>> right
>> > name for this template.? I'm not sure if we should overload
>> "manage"
>> > since it already is create/read/write/delete on files, dirs, etc.
>> I would be quite willing to change the name if there is a better
>> one. I
>> agree "manage" is overloaded. Although "start" doesnt work either
>> since
>> the template would be for stopping / status / etc as well.
>> Is there any other verb that is used to in this context we can use
>> instead?
>> -- Jason
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Wed, May 20, 2015 at 09:02:00AM -0400, Christopher J. PeBenito wrote:
> On 5/18/2015 10:11 AM, Jason Zaman wrote:
> > On Mon, May 18, 2015 at 03:27:48PM +0200, Sven Vermeulen wrote:
> >> What about "operate"?
> >
> > or direct, govern, handle. I think operate is a bit better tho since
> > operator is one of the standard unix accounts.
> >
> > Chris, do you want me to re-do the patch with any of them in particular
> > or do you want to search and replace on your end?
>
> I was thinking about verbs for these interfaces in general, and obvious
> ones are:
>
> * start
> * stop
> * <start and stop: operate, direct, govern, handle?>
>
> Then it occurred to me, why not do something like startstop like we do
> sendrecv? It's ugly, but clearly indicates what is happening.
That makes a lot of sense and would not have any misunderstandings. It's
not really that ugly apart from init_startstop_service_template is pretty
long. Do we need / want the _template in it?
-- Jason
> >> On May 18, 2015 3:22 PM, "Jason Zaman" <[1][email protected]> wrote:
> >>
> >> On Mon, May 18, 2015 at 08:57:53AM -0400, Christopher J. PeBenito
> >> wrote:
> >> > On 5/14/2015 6:28 PM, Jason Zaman wrote:
> >> > > This is to be used where a role needs to start and stop a
> >> service. It
> >> > > centralizes all the rules for redhat < 6 sysvinit that were used
> >> in the
> >> > > _admin interfaces. The rules for other inits will be added
> >> later.
> >> >
> >> > I'm ok with this set, though I'm trying to decide if this is the
> >> right
> >> > name for this template.? I'm not sure if we should overload
> >> "manage"
> >> > since it already is create/read/write/delete on files, dirs, etc.
> >> I would be quite willing to change the name if there is a better
> >> one. I
> >> agree "manage" is overloaded. Although "start" doesnt work either
> >> since
> >> the template would be for stopping / status / etc as well.
> >> Is there any other verb that is used to in this context we can use
> >> instead?
> >> -- Jason
>
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
On 5/20/2015 9:43 AM, Jason Zaman wrote:
> On Wed, May 20, 2015 at 09:02:00AM -0400, Christopher J. PeBenito wrote:
>> On 5/18/2015 10:11 AM, Jason Zaman wrote:
>>> On Mon, May 18, 2015 at 03:27:48PM +0200, Sven Vermeulen wrote:
>>>> What about "operate"?
>>>
>>> or direct, govern, handle. I think operate is a bit better tho since
>>> operator is one of the standard unix accounts.
>>>
>>> Chris, do you want me to re-do the patch with any of them in particular
>>> or do you want to search and replace on your end?
>>
>> I was thinking about verbs for these interfaces in general, and obvious
>> ones are:
>>
>> * start
>> * stop
>> * <start and stop: operate, direct, govern, handle?>
>>
>> Then it occurred to me, why not do something like startstop like we do
>> sendrecv? It's ugly, but clearly indicates what is happening.
>
> That makes a lot of sense and would not have any misunderstandings. It's
> not really that ugly apart from init_startstop_service_template is pretty
> long. Do we need / want the _template in it?
It's not actually creating any types, thus it's not technically a
template, so you can skip the _template.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Fri, May 22, 2015 at 08:33:02AM -0400, Christopher J. PeBenito wrote:
> On 5/20/2015 9:43 AM, Jason Zaman wrote:
> > On Wed, May 20, 2015 at 09:02:00AM -0400, Christopher J. PeBenito wrote:
> >> On 5/18/2015 10:11 AM, Jason Zaman wrote:
> >>> On Mon, May 18, 2015 at 03:27:48PM +0200, Sven Vermeulen wrote:
> >>>> What about "operate"?
> >>>
> >>> or direct, govern, handle. I think operate is a bit better tho since
> >>> operator is one of the standard unix accounts.
> >>>
> >>> Chris, do you want me to re-do the patch with any of them in particular
> >>> or do you want to search and replace on your end?
> >>
> >> I was thinking about verbs for these interfaces in general, and obvious
> >> ones are:
> >>
> >> * start
> >> * stop
> >> * <start and stop: operate, direct, govern, handle?>
> >>
> >> Then it occurred to me, why not do something like startstop like we do
> >> sendrecv? It's ugly, but clearly indicates what is happening.
> >
> > That makes a lot of sense and would not have any misunderstandings. It's
> > not really that ugly apart from init_startstop_service_template is pretty
> > long. Do we need / want the _template in it?
>
> It's not actually creating any types, thus it's not technically a
> template, so you can skip the _template.
okay, i'll change it to init_startstop_service() and re-run the tests
and send the patches in a bit.
Thanks,
Jason