If the Interface files are written properly, you should be able to call
the _systemctl interfaces
dnsmasq_systemctl(NetworkManager_t)
For example
interface(`dnsmasq_systemctl',`
gen_require(`
type dnsmasq_unit_file_t;
type dnsmasq_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 dnsmasq_unit_file_t:file read_file_perms;
allow $1 dnsmasq_unit_file_t:service manage_service_perms;
ps_process_pattern($1, dnsmasq_t)
')
On 01/02/2015 12:03 PM, Joseph L. Casale wrote:
We use snmp extends to invoke commands on various hosts, obviously
with
selinux enabled we need to accommodate command.
We have one that invokes systemctl, so depending on the unit files installed
the policy various. That's not a salable approach so what is the best practice
here for writing a policy that allows snmpd to invoke systemctl where we
allow something like:
allow snmpd_t *_unit_file_t:service status;
allow snmpd_t init_t:system status;
allow snmpd_t init_t:unix_stream_socket connectto;
allow snmpd_t self:netlink_route_socket nlmsg_write;
allow snmpd_t systemd_systemctl_exec_t:file { read execute open execute_no_trans };
allow snmpd_t usr_t:file unlink;
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux