From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 18 May 2015 08:57:53 -0400
Subject: [refpolicy] [PATCH] Introduce init_manage_service_template
	interface
In-Reply-To: <1431642524-14781-1-git-send-email-jason@perfinion.com>
References: <1431642524-14781-1-git-send-email-jason@perfinion.com>
Message-ID: <5559E1D1.6090107@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 5/14/2015 6:28 PM, Jason Zaman wrote:
> This is to be used where a role needs to start and stop a service. It
> centralizes all the rules for redhat < 6 sysvinit that were used in the
> _admin interfaces. The rules for other inits will be added later.

I'm ok with this set, though I'm trying to decide if this is the right
name for this template.  I'm not sure if we should overload "manage"
since it already is create/read/write/delete on files, dirs, etc.


> ---
>  policy/modules/system/init.if | 40 ++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 40 insertions(+)
> 
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 0e7eaec..7938735 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -963,6 +963,46 @@ interface(`init_all_labeled_script_domtrans',`
>  
>  ########################################
>  ## <summary>
> +##	Allow the role to start and stop
> +##	labeled services.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	The role to be performing this action.
> +##	</summary>
> +## </param>
> +## <param name="domain">
> +##	<summary>
> +##	Type to be used as a daemon domain.
> +##	</summary>
> +## </param>
> +## <param name="init_script_file">
> +##	<summary>
> +##	Labeled init script file.
> +##	</summary>
> +## </param>
> +#
> +interface(`init_manage_service_template',`
> +	gen_require(`
> +		role system_r;
> +	')
> +
> +	ifndef(`direct_sysadm_daemon',`
> +		# rules for sysvinit / upstart
> +		init_labeled_script_domtrans($1, $4)
> +		domain_system_change_exemption($1)
> +		role_transition $2 $4 system_r;
> +		allow $2 system_r;
> +	')
> +')
> +
> +########################################
> +## <summary>
>  ##	Start and stop daemon programs directly.
>  ## </summary>
>  ## <desc>
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com