From mboxrd@z Thu Jan  1 00:00:00 1970
From: guido@trentalancia.com (Guido Trentalancia)
Date: Wed, 23 Feb 2011 20:28:53 +0100
Subject: [refpolicy] [PATCH 9/34]: patch for logging in the sysadm role
In-Reply-To: <4D65176A.3050008@tresys.com>
References: <1297836459.3205.45.camel@tesla.lan> <4D65176A.3050008@tresys.com>
Message-ID: <1298489333.22930.14.camel@tesla.lan>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 23/02/2011 at 09.19 -0500, Christopher J. PeBenito wrote:
> On 02/16/11 01:07, Guido Trentalancia wrote:
> > This patch adds some permissions (through interface calls) needed
> > by the sysadm role (in particular logging permissions).
> > 
> > diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te
> > --- refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te	2011-01-08 19:07:21.214736932 +0100
> > +++ refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te	2011-02-15 23:10:39.681408593 +0100
> > @@ -34,6 +34,10 @@ ubac_file_exempt(sysadm_t)
> >  ubac_fd_exempt(sysadm_t)
> >  
> >  init_exec(sysadm_t)
> > +init_stream_connect(sysadm_t)
> 
> Is this on an upstart system?  If so these two rules should probably
> turn into init_telinit() and also that interface updated to handle
> stream sockets.

I confirm it's an upstart system. At the moment I can't check about the
interface that you suggest to use. If it is equivalent, then that's
fine. Is it a way to compact things ?

Do you think we should use the upstart boolean here ?

> > +logging_send_audit_msgs(sysadm_t)
> 
> Why is this necessary?

I am not sure. If I can get some more insight on this I will let you
know later on or tomorrow.

> > +logging_set_tty_audit(sysadm_t)
> >  
> >  # Add/remove user home directories
> >  userdom_manage_user_home_dirs(sysadm_t)

Regards,

Guido