From: jason@perfinion.com (Jason Zaman)
Date: Tue, 12 May 2015 20:19:13 +0400
Subject: [refpolicy] system_r transition in _admin interfaces
Message-ID: <20150512161913.GA12436@meriadoc.Home>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi all,

In basically all of the foo_admin() interfaces there are the following
exact same rules:

init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 ntpd_initrc_exec_t system_r;
allow $2 system_r;

Do these even work anymore? They dont work on OpenRC and as far as I
know SystemD doesnt work like that either. I dont really like having the
system_r transition around if it doesnt even work as it should.

>From what I understand they are used so that if another role wants to
admin the service you just add ntp_admin(ntpadm_t, ntpadm_r) and it will
then be allowed to start/stop ntp.

If I pull those lines out of all the _admin interfaces and make a
separate interface that calls those, would the patch be accepted? Then
inside that interface it would be easy to ifdef systemd, or ifdef
openrc or whatever kind of init is being used and needs special rules.

Thoughts?
-- Jason