From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Thu, 28 Apr 2011 22:44:14 +0200 Subject: [refpolicy] [RFC/PATCH 1/1] system admin needs to use mdadm, but type is not allowed In-Reply-To: <20110428200002.GA30223@siphos.be> References: <20110428200002.GA30223@siphos.be> Message-ID: <20110428204414.GA1777@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com After a quick discussion with dominique, new attempt due to two issues: 1. No need (or even forbidden) to have "role $1 types foo_exec_t" 2. Suggestion to use the raid_run_mdadm name instead of raid_mdadm_role. The idea here is to use raid_mdadm_role for prefixed domains (cfr. screen) whereas raid_run_mdadm is to transition and run into a specific domain Without wanting to (re?)start any discussion on prefixed versus non-prefixed domains, such a naming convention could help us to keep the reference policy cleaner (and naming conventions easy). Also, refpolicy InterfaceNaming document only talks about run, not role. So, without much further ado... ;-) The system administrator (sysadm_r role) needs to use mdadm, but is not allowed to use the mdadm_t type. Rather than extend raid_domtrans_mdadm to allow this as well, use a raid_mdadm_role (a bit more conform other role usages). The other users of raid_domtrans_mdadm are all domains that run in system_r role, which does have this type allowed (as per the system/raid.te definition), so it wouldn't hurt to use raid_domtrans_mdadm for this. Signed-off-by: Sven Vermeulen --- policy/modules/roles/sysadm.te | 2 +- policy/modules/system/raid.if | 25 +++++++++++++++++++++++++ 2 files changed, 26 insertions(+), 1 deletions(-) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 4a8d146..c22a7fb 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -261,7 +261,7 @@ optional_policy(` ') optional_policy(` - raid_domtrans_mdadm(sysadm_t) + raid_run_mdadm(sysadm_r, sysadm_t) ') optional_policy(` diff --git a/policy/modules/system/raid.if b/policy/modules/system/raid.if index c817fda..893a341 100644 --- a/policy/modules/system/raid.if +++ b/policy/modules/system/raid.if @@ -47,3 +47,28 @@ interface(`raid_manage_mdadm_pid',` # mdadm policy allow $1 mdadm_var_run_t:file manage_file_perms; ') + +###################################### +## +## Execute a domain transition to mdadm_t for the +## specified role, allowing it to use the mdadm_t +## domain +## +## +## +## Role allowed to access mdadm_t domain +## +## +## +## +## Domain allowed to transition to mdadm_t +## +## +# +interface(`raid_run_mdadm',` + gen_require(` + type mdadm_t; + ') + role $1 types mdadm_t; + raid_domtrans_mdadm($2) +') -- 1.7.3.4