On Wednesday, March 21 2007 10:59:10 am Loulwa Salem wrote: > Paul Moore wrote: > > I'm haven't verified this (I'm at home and don't have an LSPP machine > > handy) but it was originally the case where you had to be in the secadm_r > > role to be able to use netlabelctl. Unless Dan/Chris added the > > netlabel_mgmt_t domain to the sysadm_r role I don't expect you'll be able > > to run netlabelctl. > > At some point I believe it was decided that sysadm_r was going to be the > powerful user and kinda replace secadm_r. Since then I have been executing > netlabelctl as sysadm and it's been working just fine. > > This was working until before the openssh-18 package that broke logging in > as sysadm_r and the last policy -38. It stopped working now with the latest > packages.
Then I stand corrected, this definitely sounds like a bug and it would probably be a good idea to file a new BZ for the problem. > > I'm not sure this is a bug, unless of course we want sysadm_r to be able > > to configure NetLabel. Please try running netlabelctl as secadm_r and > > report the results. > > secadm is able to execute netlabelctl. sysadm_r used to be able to run it > as well. Why was it changed in the first place, and should sysadm_r be able > to execute it since it is supposed to be a powerful role? I don't know why the behavior has changed, The only thing I can think of that is related is the change made to allow netlabelctl to be executed by init (patch snippet below). However, from what I can remember the init_daemon_domain() only added additional permissions ... Index: refpolicy/policy/modules/system/netlabel.te =================================================================== --- refpolicy.orig/policy/modules/system/netlabel.te +++ refpolicy/policy/modules/system/netlabel.te @@ -8,8 +8,7 @@ policy_module(netlabel,1.0.0) type netlabel_mgmt_t; type netlabel_mgmt_exec_t; -domain_type(netlabel_mgmt_t) -domain_entry_file(netlabel_mgmt_t,netlabel_mgmt_exec_t) +init_daemon_domain(netlabel_mgmt_t,netlabel_mgmt_exec_t) -- paul moore linux security @ hp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
