Skip to content

Commit cc4a892

Browse files
wrabcakwrabcak
committed
Allow sysadm_t and staff_t roles to manage user systemd services BZ(1531864)
1 parent 7a5cfb3 commit cc4a892

File tree

2 files changed

+6
-0
lines changed

2 files changed

+6
-0
lines changed

policy/modules/roles/staff.te

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,9 @@ gen_tunable(staff_use_svirt, false)
2121
#
2222
# Local policy
2323
#
24+
25+
allow staff_t self:system all_system_perms;
26+
2427
corenet_ib_access_unlabeled_pkeys(staff_t)
2528

2629
kernel_read_ring_buffer(staff_t)
@@ -255,6 +258,7 @@ optional_policy(`
255258

256259
optional_policy(`
257260
systemd_read_unit_files(staff_t)
261+
systemd_config_all_services(staff_t)
258262
systemd_exec_systemctl(staff_t)
259263
')
260264

policy/modules/roles/sysadm.te

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,8 @@ role sysadm_r;
1010
userdom_admin_user_template(sysadm)
1111
allow sysadm_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
1212

13+
allow sysadm_t self:system all_system_perms;
14+
1315

1416
########################################
1517
#

0 commit comments

Comments
 (0)