Best practice for new policy

[Daniel J Walsh]

If the Interface files are written properly, you should be able to call
the _systemctl interfaces

    dnsmasq_systemctl(NetworkManager_t)

For example

interface(`dnsmasq_systemctl',`
    gen_require(`
        type dnsmasq_unit_file_t;
        type dnsmasq_t;
    ')

    systemd_exec_systemctl($1)
    init_reload_services($1)
    allow $1 dnsmasq_unit_file_t:file read_file_perms;
    allow $1 dnsmasq_unit_file_t:service manage_service_perms;

    ps_process_pattern($1, dnsmasq_t)
')

On 01/02/2015 12:03 PM, Joseph L. Casale wrote:
> We use snmp extends to invoke commands on various hosts, obviously with
> selinux enabled we need to accommodate command.
>
> We have one that invokes systemctl, so depending on the unit files installed
> the policy various. That's not a salable approach so what is the best practice
> here for writing a policy that allows snmpd to invoke systemctl where we
> allow something like:
>
> allow snmpd_t *_unit_file_t:service status;
> allow snmpd_t init_t:system status;
> allow snmpd_t init_t:unix_stream_socket connectto;
> allow snmpd_t self:netlink_route_socket nlmsg_write;
> allow snmpd_t systemd_systemctl_exec_t:file { read execute open execute_no_trans };
> allow snmpd_t usr_t:file unlink;
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux