From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 18 May 2015 08:57:53 -0400 Subject: [refpolicy] [PATCH] Introduce init_manage_service_template interface In-Reply-To: <1431642524-14781-1-git-send-email-jason@perfinion.com> References: <1431642524-14781-1-git-send-email-jason@perfinion.com> Message-ID: <5559E1D1.6090107@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 5/14/2015 6:28 PM, Jason Zaman wrote: > This is to be used where a role needs to start and stop a service. It > centralizes all the rules for redhat < 6 sysvinit that were used in the > _admin interfaces. The rules for other inits will be added later. I'm ok with this set, though I'm trying to decide if this is the right name for this template. I'm not sure if we should overload "manage" since it already is create/read/write/delete on files, dirs, etc. > --- > policy/modules/system/init.if | 40 ++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 40 insertions(+) > > diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if > index 0e7eaec..7938735 100644 > --- a/policy/modules/system/init.if > +++ b/policy/modules/system/init.if > @@ -963,6 +963,46 @@ interface(`init_all_labeled_script_domtrans',` > > ######################################## > ## > +## Allow the role to start and stop > +## labeled services. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +## > +## > +## The role to be performing this action. > +## > +## > +## > +## > +## Type to be used as a daemon domain. > +## > +## > +## > +## > +## Labeled init script file. > +## > +## > +# > +interface(`init_manage_service_template',` > + gen_require(` > + role system_r; > + ') > + > + ifndef(`direct_sysadm_daemon',` > + # rules for sysvinit / upstart > + init_labeled_script_domtrans($1, $4) > + domain_system_change_exemption($1) > + role_transition $2 $4 system_r; > + allow $2 system_r; > + ') > +') > + > +######################################## > +## > ## Start and stop daemon programs directly. > ## > ## > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com