commit: 5454b1692fd734babb5b459922136c7dfc7c4aa2 Author: Jason Zaman <jason <AT> perfinion <DOT> com> AuthorDate: Fri May 22 14:08:05 2015 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Fri May 22 19:16:43 2015 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5454b169
Introduce init_startstop_service interface This is to be used where a role needs to start and stop a labeled service. It centralizes all the rules for redhat < 6 sysvinit that were used in the _admin interfaces. The rules for other inits will be added later. policy/modules/system/init.if | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 61db079..acf1fae 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1008,6 +1008,46 @@ interface(`init_startstop_service',` ######################################## ## <summary> +## Allow the role to start and stop +## labeled services. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be performing this action. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## Type to be used as a daemon domain. +## </summary> +## </param> +## <param name="init_script_file"> +## <summary> +## Labeled init script file. +## </summary> +## </param> +# +interface(`init_startstop_service',` + gen_require(` + role system_r; + ') + + ifndef(`direct_sysadm_daemon',` + # rules for sysvinit / upstart + init_labeled_script_domtrans($1, $4) + domain_system_change_exemption($1) + role_transition $2 $4 system_r; + allow $2 system_r; + ') +') + +######################################## +## <summary> ## Start and stop daemon programs directly. ## </summary> ## <desc>
