[refpolicy] How to give _admin rights?

[sven.vermeulen@siphos.be (Sven Vermeulen)]

Hi guys,

Currently all administration I do is handled through the sysadm_r:sysadm_t
context. As a result, I never needed to explicitly grant an admin interface
(like nscd_admin) to a specific role.

I'm now trying to allow a role (be it user_r, staff_r or a newly created
role) to (re)start the NSCD init script (which is labeled
nscd_initrc_exec_t) so I thought it would be sufficient to just add in:
	nscd_admin(staff_t, staff_r)

However, a user (SELinux user staff_u) doesn't seem to be able to really use
it properly, unless I also give that user the root password (which I don't)
for the run_init command...

I've tried:
	~$ /etc/init.d/nscd status
	-bash: /etc/init.d/nscd: /sbin/runscript: bad interpreter:
	Permission denied
which is because of:
	security_compute_sid:  invalid context staff_u:system_r:initrc_t for
	scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:nscd_initrc_exec_t
	tclass=process

I've tried:
	~$ /usr/sbin/run_init /etc/init.d/nscd status
	Authenticating oper.
	Password: 
	Could not set exec context to system_u:system_r:initrc_t
which is because of:
	avc:  denied  { setexec } for  pid=18505 comm="run_init"
	scontext=staff_u:staff_r:staff_t tcontext=staff_u:staff_r:staff_t
	tclass=process

I've tried:
	~$ sudo /usr/sbin/run_init /etc/init.d/nscd status
but then, after authenticating, run_init asks for the root password which I
don't want to grant.

I've tried:
	~$ sudo /etc/init.d/nscd status
	sudo: unable to execute /etc/init.d/nscd: Permission denied
For this I don't know what is causing this - only see the standard denials
(rlimitinh, noatsecure, ...) and a getattr on a tty device.

It it "normal" that I would need to allow setexec for the user domain? 

What is the correct way to, once a role/user is defined, grant him the
_admin interface and have him start/stop the init scripts?

Wkr,
	Sven Vermeulen