* [refpolicy] [PATCH 1/1] Add status into init_startstop_service interface
@ 2017-09-13 20:26 David Sugar
2017-09-13 22:53 ` Chris PeBenito
0 siblings, 1 reply; 2+ messages in thread
From: David Sugar @ 2017-09-13 20:26 UTC (permalink / raw)
To: refpolicy
Alter interface init_startstop_service to also allow for the status permission. systemctl start <foo> and systemctl stop <foo> work correctly. But systemctl restart <foo> will fail as restart uses status to determine the action to take.
This interface is used by many other modules (like iptables, logging, apache, cron, etc... - see 'admin' interface). This allows restart to work for all these services.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
policy/modules/system/init.if | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 59d9f1f0..09a20311 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1703,10 +1703,10 @@ interface(`init_startstop_service',`
# all callers are updated to provide unit files.
ifelse(`$5',`',`',`
gen_require(`
- class service { start stop };
+ class service { start status stop };
')
- allow $1 $5:service { start stop };
+ allow $1 $5:service { start status stop };
')
')
')
--
2.13.5
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [refpolicy] [PATCH 1/1] Add status into init_startstop_service interface
2017-09-13 20:26 [refpolicy] [PATCH 1/1] Add status into init_startstop_service interface David Sugar
@ 2017-09-13 22:53 ` Chris PeBenito
0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2017-09-13 22:53 UTC (permalink / raw)
To: refpolicy
On 09/13/2017 04:26 PM, David Sugar via refpolicy wrote:
> Alter interface init_startstop_service to also allow for the status permission. systemctl start <foo> and systemctl stop <foo> work correctly. But systemctl restart <foo> will fail as restart uses status to determine the action to take.
>
> This interface is used by many other modules (like iptables, logging, apache, cron, etc... - see 'admin' interface). This allows restart to work for all these services.
>
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
> policy/modules/system/init.if | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 59d9f1f0..09a20311 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -1703,10 +1703,10 @@ interface(`init_startstop_service',`
> # all callers are updated to provide unit files.
> ifelse(`$5',`',`',`
> gen_require(`
> - class service { start stop };
> + class service { start status stop };
> ')
>
> - allow $1 $5:service { start stop };
> + allow $1 $5:service { start status stop };
> ')
> ')
> ')
I believe I have rejected this change before, but I don't recall someone
saying that it breaks the restart command without the status permission.
Because of this issue, I've merged this change.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-09-13 22:53 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-09-13 20:26 [refpolicy] [PATCH 1/1] Add status into init_startstop_service interface David Sugar
2017-09-13 22:53 ` Chris PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.