From: dsugar@tresys.com (David Sugar)
Date: Wed, 13 Sep 2017 20:26:57 +0000
Subject: [refpolicy] [PATCH 1/1] Add status into init_startstop_service
	interface
Message-ID: <1B50C12ACFF4CB42B90D2581155DF50205B5D85C@Exchange10.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Alter interface init_startstop_service to also allow for the status permission.  systemctl start <foo> and systemctl stop <foo> work correctly.  But systemctl restart <foo> will fail as restart uses status to determine the action to take.

This interface is used by many other modules (like iptables, logging, apache, cron, etc...  - see 'admin' interface).  This allows restart to work for all these services.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/init.if | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 59d9f1f0..09a20311 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1703,10 +1703,10 @@ interface(`init_startstop_service',`
 			# all callers are updated to provide unit files.
 			ifelse(`$5',`',`',`
 				gen_require(`
-					class service { start stop };
+					class service { start status stop };
 				')
 
-				allow $1 $5:service { start stop };
+				allow $1 $5:service { start status stop };
 			')
 		')
 	')
-- 
2.13.5