From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 22 May 2015 14:30:41 -0400
Subject: [refpolicy] [PATCH] Introduce init_startstop_service interface
In-Reply-To: <1432303685-7695-1-git-send-email-jason@perfinion.com>
References: <1432303685-7695-1-git-send-email-jason@perfinion.com>
Message-ID: <555F75D1.1080808@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On 5/22/2015 10:08 AM, Jason Zaman wrote:
> This is to be used where a role needs to start and stop a labeled
> service. It centralizes all the rules for redhat < 6 sysvinit that
> were used in the _admin interfaces. The rules for other inits will
> be added later.
This set is merged.
> ---
> policy/modules/system/init.if | 40 ++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 40 insertions(+)
>
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 0e7eaec..f39437e 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -963,6 +963,46 @@ interface(`init_all_labeled_script_domtrans',`
>
> ########################################
> ##
> +## Allow the role to start and stop
> +## labeled services.
> +##
> +##
> +##
> +## Domain allowed to transition.
> +##
> +##
> +##
> +##
> +## The role to be performing this action.
> +##
> +##
> +##
> +##
> +## Type to be used as a daemon domain.
> +##
> +##
> +##
> +##
> +## Labeled init script file.
> +##
> +##
> +#
> +interface(`init_startstop_service',`
> + gen_require(`
> + role system_r;
> + ')
> +
> + ifndef(`direct_sysadm_daemon',`
> + # rules for sysvinit / upstart
> + init_labeled_script_domtrans($1, $4)
> + domain_system_change_exemption($1)
> + role_transition $2 $4 system_r;
> + allow $2 system_r;
> + ')
> +')
> +
> +########################################
> +##
> ## Start and stop daemon programs directly.
> ##
> ##
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com