Michael C Thompson wrote:
Daniel J Walsh wrote:
Michael C Thompson wrote:
Michael C Thompson wrote:
Hey all,
Right now, we have sysadm_r and secadm_r as our administrative
roles. I believe Russel said he had done some work on the policy to
add an audit administrator as well, although I'm not able to find
it in the latest policy - what's the new name?
My question is what are the responsibilities of these 3
adminstrators (assuming 3, are there plans for more?); I would like
to know so that I might be able to test this.
A breakdown of their responsibilities and the over-lap of those
responsibilities would be most helpful.
I just checked, and with policy selinux-policy-mls-2.2.35-2,
sysadm_r and secadm_r can modify /etc/auditd.conf, /etc/audit.rules,
/etc/init.d/auditd can read and write these files.
secadm should not be able to edit auditd.conf or audit.rules. That
is a bug. I do not know about sysadm
Do I need to file a bugzilla? (I'd rather not if I can avoid it). Who
can answer the sysadm_r question?
yes. Klaus?
sysadm_r and secadm_r can not use service auditd X or
/etc/init.d/auditd X to manipulate the daemon, so that at least is
good, but neither can auditadm_r.
Are you using run_init?
OK, I've never heard of run_init until now... I tried run_init auditd
status, which failed to do anything useful, it printed a usage message
saying -f was a valid option. So I tried this, and got locked out of
my shell...
run_init service auditd status
Why does service auditd status not work?
I believe the designers were concerned about a transition happening
accidentily or via an app doing it without the admin knowing. run_init
is used to confirm the admins intentions.
Wasn't the purpose of auditadm_r to be able to control the daemon
and modify the config files? I believe it was said on the call that
sysadm_r and secadm_r should be able to read, but not modify the
audit config files.
Again secadm_r but I am not sure we can easily stop sysadm_r.
Why can't we easily stop sysadm_r? I'm not familiar enough with the
policy to answer this myself.
Because sysadm_r is allowed to start/stop all services. The act of
stopping the service is auditable.
Thanks,
Mike
--
redhat-lspp mailing list
[EMAIL PROTECTED]
https://www.redhat.com/mailman/listinfo/redhat-lspp
