After a quick discussion with dominique, new attempt due to two issues:
1. No need (or even forbidden) to have "role $1 types foo_exec_t"
2. Suggestion to use the raid_run_mdadm name instead of raid_mdadm_role. The
idea here is to use raid_mdadm_role for prefixed domains (cfr. screen)
whereas raid_run_mdadm is to transition and run into a specific domain
Without wanting to (re?)start any discussion on prefixed versus non-prefixed
domains, such a naming convention could help us to keep the reference policy
cleaner (and naming conventions easy).
Also, refpolicy InterfaceNaming document only talks about run, not role.
So, without much further ado... ;-)
The system administrator (sysadm_r role) needs to use mdadm, but is not
allowed to use the mdadm_t type.
Rather than extend raid_domtrans_mdadm to allow this as well, use a
raid_mdadm_role (a bit more conform other role usages).
The other users of raid_domtrans_mdadm are all domains that run in system_r
role, which does have this type allowed (as per the system/raid.te
definition), so it wouldn't hurt to use raid_domtrans_mdadm for this.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
')
optional_policy(`
- raid_domtrans_mdadm(sysadm_t)
+ raid_run_mdadm(sysadm_r, sysadm_t)
')
optional_policy(`
# mdadm policy
allow $1 mdadm_var_run_t:file manage_file_perms;
')
+
+######################################
+## <summary>
+## Execute a domain transition to mdadm_t for the
+## specified role, allowing it to use the mdadm_t
+## domain
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed to access mdadm_t domain
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition to mdadm_t
+## </summary>
+## </param>
+#
+interface(`raid_run_mdadm',`
+ gen_require(`
+ type mdadm_t;
+ ')
+ role $1 types mdadm_t;
+ raid_domtrans_mdadm($2)
+')
projects / people / stevee / selinux-policy.git / commitdiff
