Hello,
I trying to grant sysadm permissions to restart a service. The service needs to run as it's own type, preferably using system_r role. I'm running Red Hat 6.3 with a custom policy based on the reference policy.
From the research I've done so far, it appears that I can use 'run_init' or enable the 'direct_sysadm_daemon' flag when I compile the policy. However, using the 'direct_sysadm_daemon' flag doesn't seem to allow sysadm to restart the service. Instead, it seems to allow sysadm access to execute the program the service is pointing to since the daemon attribute is being added in the 'init_daemon_domain' template call. I need sysadm to make the call through the service script since the service has some additional logic for launching the executable.
My module types are as follows (I modeled this after other services like ntp, dhcp, etc.) :
# Service: /etc/init.d/myprog
type myprog_initrc_exec_t;
init_script_file( myprog_initrc_exec_t )
# Main Program: /usr/sbin/myprog
type myprog_t;
type myprog_exec_t;
init_daemon_domain( myprog_t, myprog_exec_t )
What is the best/recommended way for sysadm to restart services (run_init vs. direct)?
Thanks,
Andy Ruch
