Allow sysadm_t and staff_t roles to manage user systemd services BZ(1…

…531864)
fedora-selinux · Jan 10, 2018 · cc4a892 · cc4a892
1 parent 7a5cfb3
commit cc4a892
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
@@ -21,6 +21,9 @@ gen_tunable(staff_use_svirt, false)
 #
 # Local policy
 #
+
+allow staff_t self:system all_system_perms;
+
 corenet_ib_access_unlabeled_pkeys(staff_t)
 
 kernel_read_ring_buffer(staff_t)
@@ -255,6 +258,7 @@ optional_policy(`
 
 optional_policy(`
 	systemd_read_unit_files(staff_t)
+    systemd_config_all_services(staff_t)
 	systemd_exec_systemctl(staff_t)
 ')
 

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
@@ -10,6 +10,8 @@ role sysadm_r;
 userdom_admin_user_template(sysadm)
 allow sysadm_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
 
+allow sysadm_t self:system all_system_perms;
+
 
 ########################################
 #