From: jason@perfinion.com (Jason Zaman) Date: Tue, 12 May 2015 22:04:27 +0400 Subject: [refpolicy] system_r transition in _admin interfaces In-Reply-To: <5552329D.4000005@tresys.com> References: <20150512161913.GA12436@meriadoc.Home> <5552329D.4000005@tresys.com> Message-ID: <20150512180427.GA14524@meriadoc.Home> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, May 12, 2015 at 01:04:29PM -0400, Christopher J. PeBenito wrote: > On 5/12/2015 12:19 PM, Jason Zaman wrote: > > Hi all, > > > > In basically all of the foo_admin() interfaces there are the following > > exact same rules: > > > > init_labeled_script_domtrans($1, ntpd_initrc_exec_t) > > domain_system_change_exemption($1) > > role_transition $2 ntpd_initrc_exec_t system_r; > > allow $2 system_r; > > > > Do these even work anymore? They dont work on OpenRC and as far as I > > know SystemD doesnt work like that either. I dont really like having the > > system_r transition around if it doesnt even work as it should. > > > >>From what I understand they are used so that if another role wants to > > admin the service you just add ntp_admin(ntpadm_t, ntpadm_r) and it will > > then be allowed to start/stop ntp. > > > > If I pull those lines out of all the _admin interfaces and make a > > separate interface that calls those, would the patch be accepted? Then > > inside that interface it would be easy to ifdef systemd, or ifdef > > openrc or whatever kind of init is being used and needs special rules. > > I think what we're getting at is actually a more abstract interface: the > perms to start/stop a daemon. The above rules are what it takes for > traditional sysvinit-like services, while systemd and openrc have their > own behaviors. So I think we should replace the above lines in the > admin interfaces with calls to interfaces that look like (pseudocode): > > in init.if: > > define init_start_service_template > ifdef init_systemd: > allow $caller $domain:service start; > else ifdef init_sysvinit or init_upstart: > init_labeled_script_domtrans($caller, $entrypoint) > domain_system_change_exemption($caller) > ... > else ifdef init_openrc > ... > endif > > > in ntp.if: > > template ntp_start_service > init_start_service_template($caller, $role, ntpd_t, ntpd_initrc_exec_t) > > > Then with these in place, it should hopefully work right without much > effort, and the individual modules don't know or care about the details > of start/stop a service. This is exactly what I was aiming for. great we're all on the same page. I will prepare some patches then and send soon. That looks like a decent list of parameters on the interface, should cover all the different inits. I'll make the interface without the ifdef's first so nothing changes. We can add in systemd and openrc after the rest is done. -- Jason