From: jason@perfinion.com (Jason Zaman) Date: Tue, 12 May 2015 20:19:13 +0400 Subject: [refpolicy] system_r transition in _admin interfaces Message-ID: <20150512161913.GA12436@meriadoc.Home> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi all, In basically all of the foo_admin() interfaces there are the following exact same rules: init_labeled_script_domtrans($1, ntpd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 ntpd_initrc_exec_t system_r; allow $2 system_r; Do these even work anymore? They dont work on OpenRC and as far as I know SystemD doesnt work like that either. I dont really like having the system_r transition around if it doesnt even work as it should. >From what I understand they are used so that if another role wants to admin the service you just add ntp_admin(ntpadm_t, ntpadm_r) and it will then be allowed to start/stop ntp. If I pull those lines out of all the _admin interfaces and make a separate interface that calls those, would the patch be accepted? Then inside that interface it would be easy to ifdef systemd, or ifdef openrc or whatever kind of init is being used and needs special rules. Thoughts? -- Jason