From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Thu, 28 Apr 2011 22:00:02 +0200 Subject: [refpolicy] [RFC/PATCH 1/1] system admin needs to use mdadm, but type is not allowed Message-ID: <20110428200002.GA30223@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The system administrator (sysadm_r role) needs to use mdadm, but is not allowed to use the mdadm_t nor mdadm_exec_t types. Rather than extend raid_domtrans_mdadm to allow this as well, use a raid_mdadm_role (a bit more conform other role usages). The other users of raid_domtrans_mdadm are all domains that run in system_r role, which does have this type allowed (as per the system/raid.te definition), so it wouldn't hurt to use raid_domtrans_mdadm for this. Signed-off-by: Sven Vermeulen --- policy/modules/roles/sysadm.te | 2 +- policy/modules/system/raid.if | 23 +++++++++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletions(-) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 4a8d146..47951d4 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -261,7 +261,7 @@ optional_policy(` ') optional_policy(` - raid_domtrans_mdadm(sysadm_t) + raid_mdadm_role(sysadm_r, sysadm_t) ') optional_policy(` diff --git a/policy/modules/system/raid.if b/policy/modules/system/raid.if index c817fda..ff59e2c 100644 --- a/policy/modules/system/raid.if +++ b/policy/modules/system/raid.if @@ -47,3 +47,26 @@ interface(`raid_manage_mdadm_pid',` # mdadm policy allow $1 mdadm_var_run_t:file manage_file_perms; ') + +###################################### +## +## Allow execution and transitioning into mdadm_t +## +## +## +## Role allowed to access mdad_t domain +## +## +## +## +## Domain allowed to transition +## +## +# +interface(`raid_mdadm_role',` + gen_require(` + type mdadm_t, mdadm_exec_t; + ') + role $1 types { mdadm_t mdadm_exec_t }; + raid_domtrans_mdadm($2) +') -- 1.7.3.4