On Wednesday, March 21 2007 11:11:25 am Stephen Smalley wrote: > On Wed, 2007-03-21 at 11:09 -0400, Paul Moore wrote: > > On Wednesday, March 21 2007 10:59:10 am Loulwa Salem wrote: > > > Paul Moore wrote: > > > > I'm not sure this is a bug, unless of course we want sysadm_r to be > > > > able to configure NetLabel. Please try running netlabelctl as > > > > secadm_r and report the results. > > > > > > secadm is able to execute netlabelctl. sysadm_r used to be able to run > > > it as well. Why was it changed in the first place, and should sysadm_r > > > be able to execute it since it is supposed to be a powerful role? > > > > I don't know why the behavior has changed, The only thing I can think of > > that is related is the change made to allow netlabelctl to be executed by > > init (patch snippet below). However, from what I can remember the > > init_daemon_domain() only added additional permissions ... > > If it adds a role_transition to system_r (likely, since it now thinks > that netlabelctl is a daemon that needs to run in system_r), then that > would explain it.
All righty, I'll have to take a closer look at the policy and see if there is a better interface or set of allow rules to use ... I'm so used to running netlabelctl manually via secadm_r I didn't notice this while testing the change below. Unless Dan has any great insight into the best way to solve this I'll work on it after lunch. > > Index: refpolicy/policy/modules/system/netlabel.te > > =================================================================== > > --- refpolicy.orig/policy/modules/system/netlabel.te > > +++ refpolicy/policy/modules/system/netlabel.te > > @@ -8,8 +8,7 @@ policy_module(netlabel,1.0.0) > > > > type netlabel_mgmt_t; > > type netlabel_mgmt_exec_t; > > -domain_type(netlabel_mgmt_t) > > -domain_entry_file(netlabel_mgmt_t,netlabel_mgmt_exec_t) > > +init_daemon_domain(netlabel_mgmt_t,netlabel_mgmt_exec_t) -- paul moore linux security @ hp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
