I typically used run_init and add pam_rootok to the run_init pam stack so I'm not constantly retyping the root password. (long term, aka RHEL7, the answer is that systemd does the work on your behalf, so you don't have to worry about things like this any more) On Thu, Apr 11, 2013 at 11:53 AM, Andy Ruch <adruch2002@xxxxxxxxx> wrote: > Hello, > > I trying to grant sysadm permissions to restart a service. The service needs > to run as it's own type, preferably using system_r role. I'm running Red Hat > 6.3 with a custom policy based on the reference policy. > > From the research I've done so far, it appears that I can use 'run_init' or > enable the 'direct_sysadm_daemon' flag when I compile the policy. However, > using the 'direct_sysadm_daemon' flag doesn't seem to allow sysadm to > restart the service. Instead, it seems to allow sysadm access to execute the > program the service is pointing to since the daemon attribute is being added > in the 'init_daemon_domain' template call. I need sysadm to make the call > through the service script since the service has some additional logic for > launching the executable. > > My module types are as follows (I modeled this after other services like > ntp, dhcp, etc.) : > > # Service: /etc/init.d/myprog > type myprog_initrc_exec_t; > init_script_file( myprog_initrc_exec_t ) > > # Main Program: /usr/sbin/myprog > type myprog_t; > type myprog_exec_t; > init_daemon_domain( myprog_t, myprog_exec_t ) > > > > What is the best/recommended way for sysadm to restart services (run_init > vs. direct)? > > > > Thanks, > Andy Ruch -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
