From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 12 May 2015 13:04:29 -0400 Subject: [refpolicy] system_r transition in _admin interfaces In-Reply-To: <20150512161913.GA12436@meriadoc.Home> References: <20150512161913.GA12436@meriadoc.Home> Message-ID: <5552329D.4000005@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 5/12/2015 12:19 PM, Jason Zaman wrote: > Hi all, > > In basically all of the foo_admin() interfaces there are the following > exact same rules: > > init_labeled_script_domtrans($1, ntpd_initrc_exec_t) > domain_system_change_exemption($1) > role_transition $2 ntpd_initrc_exec_t system_r; > allow $2 system_r; > > Do these even work anymore? They dont work on OpenRC and as far as I > know SystemD doesnt work like that either. I dont really like having the > system_r transition around if it doesnt even work as it should. > >>From what I understand they are used so that if another role wants to > admin the service you just add ntp_admin(ntpadm_t, ntpadm_r) and it will > then be allowed to start/stop ntp. > > If I pull those lines out of all the _admin interfaces and make a > separate interface that calls those, would the patch be accepted? Then > inside that interface it would be easy to ifdef systemd, or ifdef > openrc or whatever kind of init is being used and needs special rules. I think what we're getting at is actually a more abstract interface: the perms to start/stop a daemon. The above rules are what it takes for traditional sysvinit-like services, while systemd and openrc have their own behaviors. So I think we should replace the above lines in the admin interfaces with calls to interfaces that look like (pseudocode): in init.if: define init_start_service_template ifdef init_systemd: allow $caller $domain:service start; else ifdef init_sysvinit or init_upstart: init_labeled_script_domtrans($caller, $entrypoint) domain_system_change_exemption($caller) ... else ifdef init_openrc ... endif in ntp.if: template ntp_start_service init_start_service_template($caller, $role, ntpd_t, ntpd_initrc_exec_t) Then with these in place, it should hopefully work right without much effort, and the individual modules don't know or care about the details of start/stop a service. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com