From: dac.override@gmail.com (Dominick Grift) Date: Tue, 12 May 2015 18:31:56 +0200 Subject: [refpolicy] system_r transition in _admin interfaces In-Reply-To: <20150512161913.GA12436@meriadoc.Home> References: <20150512161913.GA12436@meriadoc.Home> Message-ID: <20150512163154.GC9693@x131e> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, May 12, 2015 at 08:19:13PM +0400, Jason Zaman wrote: > Hi all, > > In basically all of the foo_admin() interfaces there are the following > exact same rules: > > init_labeled_script_domtrans($1, ntpd_initrc_exec_t) > domain_system_change_exemption($1) > role_transition $2 ntpd_initrc_exec_t system_r; > allow $2 system_r; > > Do these even work anymore? They dont work on OpenRC and as far as I > know SystemD doesnt work like that either. I dont really like having the > system_r transition around if it doesnt even work as it should. They work and are required on < RHEL 6.* > > >From what I understand they are used so that if another role wants to > admin the service you just add ntp_admin(ntpadm_t, ntpadm_r) and it will > then be allowed to start/stop ntp. > Yes > If I pull those lines out of all the _admin interfaces and make a > separate interface that calls those, would the patch be accepted? Then > inside that interface it would be easy to ifdef systemd, or ifdef > openrc or whatever kind of init is being used and needs special rules. > > Thoughts? Not my call to make However, i noticed today that recently you did a little work in gentoo trying to call all the admin interfaces in sysadm.te Please make sure that you build test it thoroughly (also test build monolithic, direct_sysadmin etc) Not because you may want to support monolithic build in gentoo but because you want to make sure you at least stay to some extend compliant with refpolicy I would be a shame if you spent a lot of time on some feature and much later determine that its not upstreamable becuause upstream needs to support functionality that gentoo does not need to support and thereby neglected to test. I am saying this because i vaguely recall my trying to call all those admin() interfaces in sysadm.te in refpolicy but it failed to pass the build test then. I might be wrong i am just giving you an heads-up in advance -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 648 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150512/f5e911ef/attachment.bin