From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Fri, 10 Aug 2012 19:05:00 +0200
Subject: [refpolicy] How to give _admin rights?
In-Reply-To: <20120809183851.GA2643@siphos.be>
References: <20120809183851.GA2643@siphos.be>
Message-ID: <20120810170500.GA13453@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, Aug 09, 2012 at 08:38:51PM +0200, Sven Vermeulen wrote:
> Currently all administration I do is handled through the sysadm_r:sysadm_t
> context. As a result, I never needed to explicitly grant an admin interface
> (like nscd_admin) to a specific role.
> 
> I'm now trying to allow a role (be it user_r, staff_r or a newly created
> role) to (re)start the NSCD init script (which is labeled
> nscd_initrc_exec_t) so I thought it would be sufficient to just add in:
> 	nscd_admin(staff_t, staff_r)
> 
> However, a user (SELinux user staff_u) doesn't seem to be able to really use
> it properly, unless I also give that user the root password (which I don't)
> for the run_init command...
[...]

Thank you all for the feedback, especially Dominick who put me on the right
track.

What I failed to do was to grant the system_r role to the (SELinux) user
that I was giving _admin rights to. Because of that, no transition to
<user>:system_r:initrc_t was possible.

By giving the user the system_r access, it was sufficient to just grant the
_admin to the user/role and use
  ~$ sudo /etc/init.d/nscd start

Wkr,
	Sven Vermeulen