On Aug 22, 2011, at 12:11 PM, Sven Vermeulen wrote: > On Mon, Aug 22, 2011 at 03:18:16PM +0000, Sven Vermeulen wrote: >> What you are suggesting (label init script) is exactly what I was talking >> about: instead of having the init scripts labeled initrc_exec_t, they should >> be labeled like slapd_initrc_exec_t, postfix_initrc_exec_t, ... and Gentoo's >> integrated run_init support, which by the policy is currently only working >> on initrc_exec_t, should support those too. > > I guess that won't be happening soon. > > When an administrative interface is granted to a domain/role (like > ldap_admin) then a role transition to system_r is automatically granted > when a transition occurs on the domain-specific initrc script (like > slapd_initrc_exec_t). In case of integrated run_init support, this would > create a context root:system_r:run_init_t, which is invalid. > > Removing the role transition in all administrative interfaces is imo a no-go > as that would mean lots of work and maintenance. > > Oh well, it was fun to try... > > Wkr, > Sven Vermeulen >
I know this is not ideal, but can you simply allow sysadm_r to use rc-service and it's brothers? -- Matthew Thode
PGP.sig
Description: This is a digitally signed message part
