system admin needs to use mdadm, but type is not allowed

After a quick discussion with dominique, new attempt due to two issues: 1. No need (or even forbidden) to have "role $1 types foo_exec_t" 2. Suggestion to use the raid_run_mdadm name instead of raid_mdadm_role. The idea here is to use raid_mdadm_role for prefixed domains (cfr. screen) whereas raid_run_mdadm is to transition and run into a specific domain Without wanting to (re?)start any discussion on prefixed versus non-prefixed domains, such a naming convention could help us to keep the reference policy cleaner (and naming conventions easy). Also, refpolicy InterfaceNaming document only talks about run, not role. So, without much further ado... ;-) The system administrator (sysadm_r role) needs to use mdadm, but is not allowed to use the mdadm_t type. Rather than extend raid_domtrans_mdadm to allow this as well, use a raid_mdadm_role (a bit more conform other role usages). The other users of raid_domtrans_mdadm are all domains that run in system_r role, which does have this type allowed (as per the system/raid.te definition), so it wouldn't hurt to use raid_domtrans_mdadm for this. Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-04-28 16:44:14 -04:00 · 2011-04-28 16:44:14 -04:00 · 681831da06
parent 2983a08467
commit 681831da06
2 changed files with 26 additions and 1 deletions
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@ -261,7 +261,7 @@ optional_policy(`
 ')

 optional_policy(`
-	raid_domtrans_mdadm(sysadm_t)
+	raid_run_mdadm(sysadm_r, sysadm_t)
 ')

 optional_policy(`
--- a/policy/modules/system/raid.if
+++ b/policy/modules/system/raid.if
@ -47,3 +47,28 @@ interface(`raid_manage_mdadm_pid',`
 	# mdadm policy
 	allow $1 mdadm_var_run_t:file manage_file_perms;
 ')
+
+######################################
+## <summary>
+##      Execute a domain transition to mdadm_t for the
+##      specified role, allowing it to use the mdadm_t
+##      domain
+## </summary>
+## <param name="role">
+##     <summary>
+##             Role allowed to access mdadm_t domain
+##     </summary>
+## </param>
+## <param name="domain">
+##     <summary>
+##             Domain allowed to transition to mdadm_t
+##     </summary>
+## </param>
+#
+interface(`raid_run_mdadm',`
+       gen_require(`
+               type mdadm_t;
+       ')
+       role $1 types mdadm_t;
+       raid_domtrans_mdadm($2)
+')