Best practice for new policy
Daniel J Walsh
dwalsh at redhat.com
Sat Jan 3 12:56:53 UTC 2015
If the Interface files are written properly, you should be able to call
the _systemctl interfaces
dnsmasq_systemctl(NetworkManager_t)
For example
interface(`dnsmasq_systemctl',`
gen_require(`
type dnsmasq_unit_file_t;
type dnsmasq_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 dnsmasq_unit_file_t:file read_file_perms;
allow $1 dnsmasq_unit_file_t:service manage_service_perms;
ps_process_pattern($1, dnsmasq_t)
')
On 01/02/2015 12:03 PM, Joseph L. Casale wrote:
> We use snmp extends to invoke commands on various hosts, obviously with
> selinux enabled we need to accommodate command.
>
> We have one that invokes systemctl, so depending on the unit files installed
> the policy various. That's not a salable approach so what is the best practice
> here for writing a policy that allows snmpd to invoke systemctl where we
> allow something like:
>
> allow snmpd_t *_unit_file_t:service status;
> allow snmpd_t init_t:system status;
> allow snmpd_t init_t:unix_stream_socket connectto;
> allow snmpd_t self:netlink_route_socket nlmsg_write;
> allow snmpd_t systemd_systemctl_exec_t:file { read execute open execute_no_trans };
> allow snmpd_t usr_t:file unlink;
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
More information about the selinux
mailing list