From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 13 Sep 2017 18:53:01 -0400
Subject: [refpolicy] [PATCH 1/1] Add status into init_startstop_service
 interface
In-Reply-To: <1B50C12ACFF4CB42B90D2581155DF50205B5D85C@Exchange10.columbia.tresys.com>
References: <1B50C12ACFF4CB42B90D2581155DF50205B5D85C@Exchange10.columbia.tresys.com>
Message-ID: <4a3f27a3-2579-b169-cd3d-1e2cdb90f764@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/13/2017 04:26 PM, David Sugar via refpolicy wrote:
> Alter interface init_startstop_service to also allow for the status permission.  systemctl start <foo> and systemctl stop <foo> work correctly.  But systemctl restart <foo> will fail as restart uses status to determine the action to take.
> 
> This interface is used by many other modules (like iptables, logging, apache, cron, etc...  - see 'admin' interface).  This allows restart to work for all these services.
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/system/init.if | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 59d9f1f0..09a20311 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -1703,10 +1703,10 @@ interface(`init_startstop_service',`
>   			# all callers are updated to provide unit files.
>   			ifelse(`$5',`',`',`
>   				gen_require(`
> -					class service { start stop };
> +					class service { start status stop };
>   				')
>   
> -				allow $1 $5:service { start stop };
> +				allow $1 $5:service { start status stop };
>   			')
>   		')
>   	')

I believe I have rejected this change before, but I don't recall someone 
saying that it breaks the restart command without the status permission. 
  Because of this issue, I've merged this change.

-- 
Chris PeBenito