Christopher J. PeBenito wrote:
On 11/18/2014 2:20 PM, Dominick Grift wrote:
class init_service
{
start
stop
status
}
I cannot really substantiate but it look like these are also used to start/stop/get status of systemd (session) daemons, so i suppose start_init, stop_init, get_status_init
I suspect this is mainly for starting the systemd session daemons. Logind uses these i believe.
so to start a systemd session daemon: allow ARG init_t:init start_init; or something maybe?
Why would those daemons need to be treated specially? In the end
they're still services; they may have special system features, but in
that case you don't allow just anyone to stop/start them.
I can see why you'd want someone to be able to restart apache but not
everything. Certainly having specific permissions is not the way to
accomplish that.
The rule above is kind of strange, permissions should not be equivalence
classes, types should be, so it should be more like:
allow <domain requesting restart> <derived service label> : init {start
stop}
right?
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
