From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 12 May 2015 13:04:29 -0400
Subject: [refpolicy] system_r transition in _admin interfaces
In-Reply-To: <20150512161913.GA12436@meriadoc.Home>
References: <20150512161913.GA12436@meriadoc.Home>
Message-ID: <5552329D.4000005@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 5/12/2015 12:19 PM, Jason Zaman wrote:
> Hi all,
> 
> In basically all of the foo_admin() interfaces there are the following
> exact same rules:
> 
> init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
> domain_system_change_exemption($1)
> role_transition $2 ntpd_initrc_exec_t system_r;
> allow $2 system_r;
> 
> Do these even work anymore? They dont work on OpenRC and as far as I
> know SystemD doesnt work like that either. I dont really like having the
> system_r transition around if it doesnt even work as it should.
> 
>>From what I understand they are used so that if another role wants to
> admin the service you just add ntp_admin(ntpadm_t, ntpadm_r) and it will
> then be allowed to start/stop ntp.
> 
> If I pull those lines out of all the _admin interfaces and make a
> separate interface that calls those, would the patch be accepted? Then
> inside that interface it would be easy to ifdef systemd, or ifdef
> openrc or whatever kind of init is being used and needs special rules.

I think what we're getting at is actually a more abstract interface: the
perms to start/stop a daemon.  The above rules are what it takes for
traditional sysvinit-like services, while systemd and openrc have their
own behaviors.  So I think we should replace the above lines in the
admin interfaces with calls to interfaces that look like (pseudocode):

in init.if:

define init_start_service_template
	ifdef init_systemd:
		allow $caller $domain:service start;
	else ifdef init_sysvinit or init_upstart:
		init_labeled_script_domtrans($caller, $entrypoint)
		domain_system_change_exemption($caller)
		...
	else ifdef init_openrc
		...
	endif


in ntp.if:

template ntp_start_service
	init_start_service_template($caller, $role, ntpd_t, ntpd_initrc_exec_t)


Then with these in place, it should hopefully work right without much
effort, and the individual modules don't know or care about the details
of start/stop a service.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com