Paul Moore wrote:
On Wednesday, March 21 2007 11:11:25 am Stephen Smalley wrote:
On Wed, 2007-03-21 at 11:09 -0400, Paul Moore wrote:
On Wednesday, March 21 2007 10:59:10 am Loulwa Salem wrote:
Paul Moore wrote:
I'm not sure this is a bug, unless of course we want sysadm_r to be
able to configure NetLabel. Please try running netlabelctl as
secadm_r and report the results.
secadm is able to execute netlabelctl. sysadm_r used to be able to run
it as well. Why was it changed in the first place, and should sysadm_r
be able to execute it since it is supposed to be a powerful role?
I don't know why the behavior has changed, The only thing I can think of
that is related is the change made to allow netlabelctl to be executed by
init (patch snippet below). However, from what I can remember the
init_daemon_domain() only added additional permissions ...
If it adds a role_transition to system_r (likely, since it now thinks
that netlabelctl is a daemon that needs to run in system_r), then that
would explain it.
All righty, I'll have to take a closer look at the policy and see if there is
a better interface or set of allow rules to use ... I'm so used to running
netlabelctl manually via secadm_r I didn't notice this while testing the
change below.
Unless Dan has any great insight into the best way to solve this I'll work on
it after lunch.
Thanks Paul,
I'll open a bug to track this and copy you and Linda on it.
- Loulwa
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
