All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] [PATCH 1/1] Add status into init_startstop_service interface
@ 2017-09-13 20:26 David Sugar
  2017-09-13 22:53 ` Chris PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: David Sugar @ 2017-09-13 20:26 UTC (permalink / raw)
  To: refpolicy

Alter interface init_startstop_service to also allow for the status permission.  systemctl start <foo> and systemctl stop <foo> work correctly.  But systemctl restart <foo> will fail as restart uses status to determine the action to take.

This interface is used by many other modules (like iptables, logging, apache, cron, etc...  - see 'admin' interface).  This allows restart to work for all these services.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/init.if | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 59d9f1f0..09a20311 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1703,10 +1703,10 @@ interface(`init_startstop_service',`
 			# all callers are updated to provide unit files.
 			ifelse(`$5',`',`',`
 				gen_require(`
-					class service { start stop };
+					class service { start status stop };
 				')
 
-				allow $1 $5:service { start stop };
+				allow $1 $5:service { start status stop };
 			')
 		')
 	')
-- 
2.13.5

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* [refpolicy] [PATCH 1/1] Add status into init_startstop_service interface
  2017-09-13 20:26 [refpolicy] [PATCH 1/1] Add status into init_startstop_service interface David Sugar
@ 2017-09-13 22:53 ` Chris PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2017-09-13 22:53 UTC (permalink / raw)
  To: refpolicy

On 09/13/2017 04:26 PM, David Sugar via refpolicy wrote:
> Alter interface init_startstop_service to also allow for the status permission.  systemctl start <foo> and systemctl stop <foo> work correctly.  But systemctl restart <foo> will fail as restart uses status to determine the action to take.
> 
> This interface is used by many other modules (like iptables, logging, apache, cron, etc...  - see 'admin' interface).  This allows restart to work for all these services.
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/system/init.if | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 59d9f1f0..09a20311 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -1703,10 +1703,10 @@ interface(`init_startstop_service',`
>   			# all callers are updated to provide unit files.
>   			ifelse(`$5',`',`',`
>   				gen_require(`
> -					class service { start stop };
> +					class service { start status stop };
>   				')
>   
> -				allow $1 $5:service { start stop };
> +				allow $1 $5:service { start status stop };
>   			')
>   		')
>   	')

I believe I have rejected this change before, but I don't recall someone 
saying that it breaks the restart command without the status permission. 
  Because of this issue, I've merged this change.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-09-13 22:53 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-09-13 20:26 [refpolicy] [PATCH 1/1] Add status into init_startstop_service interface David Sugar
2017-09-13 22:53 ` Chris PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.