[refpolicy] How to give _admin rights?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sven.vermeulen@siphos.be (Sven Vermeulen)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] How to give _admin rights?
Date: Fri, 10 Aug 2012 19:05:00 +0200	[thread overview]
Message-ID: <20120810170500.GA13453@siphos.be> (raw)
In-Reply-To: <20120809183851.GA2643@siphos.be>

On Thu, Aug 09, 2012 at 08:38:51PM +0200, Sven Vermeulen wrote:
> Currently all administration I do is handled through the sysadm_r:sysadm_t
> context. As a result, I never needed to explicitly grant an admin interface
> (like nscd_admin) to a specific role.
> 
> I'm now trying to allow a role (be it user_r, staff_r or a newly created
> role) to (re)start the NSCD init script (which is labeled
> nscd_initrc_exec_t) so I thought it would be sufficient to just add in:
> 	nscd_admin(staff_t, staff_r)
> 
> However, a user (SELinux user staff_u) doesn't seem to be able to really use
> it properly, unless I also give that user the root password (which I don't)
> for the run_init command...
[...]

Thank you all for the feedback, especially Dominick who put me on the right
track.

What I failed to do was to grant the system_r role to the (SELinux) user
that I was giving _admin rights to. Because of that, no transition to
<user>:system_r:initrc_t was possible.

By giving the user the system_r access, it was sufficient to just grant the
_admin to the user/role and use
  ~$ sudo /etc/init.d/nscd start

Wkr,
	Sven Vermeulen

     prev parent reply	other threads:[~2012-08-10 17:05 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-08-09 18:38 [refpolicy] How to give _admin rights? Sven Vermeulen
2012-08-09 18:50 ` Daniel J Walsh
2012-08-09 18:57   ` Sven Vermeulen
2012-08-09 18:58 ` Christopher J. PeBenito
2012-08-10 12:50   ` Daniel J Walsh
2012-08-10 17:05 ` Sven Vermeulen [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120810170500.GA13453@siphos.be \
    --to=sven.vermeulen@siphos.be \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.