This is to be used where a role needs to start and stop a labeled
service. It centralizes all the rules for redhat < 6 sysvinit that
were used in the _admin interfaces. The rules for other inits will
be added later.
---
policy/modules/system/init.if | 40 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 0e7eaec..f39437e 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -963,6 +963,46 @@ interface(`init_all_labeled_script_domtrans',`
########################################
## <summary>
+## Allow the role to start and stop
+## labeled services.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be performing this action.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Type to be used as a daemon domain.
+## </summary>
+## </param>
+## <param name="init_script_file">
+## <summary>
+## Labeled init script file.
+## </summary>
+## </param>
+#
+interface(`init_startstop_service',`
+ gen_require(`
+ role system_r;
+ ')
+
+ ifndef(`direct_sysadm_daemon',`
+ # rules for sysvinit / upstart
+ init_labeled_script_domtrans($1, $4)
+ domain_system_change_exemption($1)
+ role_transition $2 $4 system_r;
+ allow $2 system_r;
+ ')
+')
+
+########################################
+## <summary>
## Start and stop daemon programs directly.
## </summary>
## <desc>
--
2.3.6
On 5/22/2015 10:08 AM, Jason Zaman wrote:
> This is to be used where a role needs to start and stop a labeled
> service. It centralizes all the rules for redhat < 6 sysvinit that
> were used in the _admin interfaces. The rules for other inits will
> be added later.
This set is merged.
> ---
> policy/modules/system/init.if | 40 ++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 40 insertions(+)
>
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 0e7eaec..f39437e 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -963,6 +963,46 @@ interface(`init_all_labeled_script_domtrans',`
>
> ########################################
> ## <summary>
> +## Allow the role to start and stop
> +## labeled services.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## The role to be performing this action.
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## Type to be used as a daemon domain.
> +## </summary>
> +## </param>
> +## <param name="init_script_file">
> +## <summary>
> +## Labeled init script file.
> +## </summary>
> +## </param>
> +#
> +interface(`init_startstop_service',`
> + gen_require(`
> + role system_r;
> + ')
> +
> + ifndef(`direct_sysadm_daemon',`
> + # rules for sysvinit / upstart
> + init_labeled_script_domtrans($1, $4)
> + domain_system_change_exemption($1)
> + role_transition $2 $4 system_r;
> + allow $2 system_r;
> + ')
> +')
> +
> +########################################
> +## <summary>
> ## Start and stop daemon programs directly.
> ## </summary>
> ## <desc>
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com