From mboxrd@z Thu Jan  1 00:00:00 1970
From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 04 Mar 2011 08:15:20 -0500
Subject: [refpolicy] [PATCH 9/34]: patch for logging in the sysadm role
In-Reply-To: <1299010039.14035.14.camel@tesla.lan>
References: <1297836459.3205.45.camel@tesla.lan>	 <4D65176A.3050008@tresys.com>
	<1298489333.22930.14.camel@tesla.lan>	
	<4D6D4619.8030303@tresys.com> <1299010039.14035.14.camel@tesla.lan>
Message-ID: <4D70E5E8.5030107@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 03/01/11 15:07, Guido Trentalancia wrote:
> On Tue, 01/03/2011 at 14.16 -0500, Christopher J. PeBenito wrote:
>> On 02/23/11 14:28, Guido Trentalancia wrote:
>>> On Wed, 23/02/2011 at 09.19 -0500, Christopher J. PeBenito wrote:
>>>> On 02/16/11 01:07, Guido Trentalancia wrote:
>>>>> This patch adds some permissions (through interface calls) needed
>>>>> by the sysadm role (in particular logging permissions).
>>>>>
>>>>> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te
>>>>> --- refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te	2011-01-08 19:07:21.214736932 +0100
>>>>> +++ refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te	2011-02-15 23:10:39.681408593 +0100
>>>>> @@ -34,6 +34,10 @@ ubac_file_exempt(sysadm_t)
>>>>>  ubac_fd_exempt(sysadm_t)
>>>>>  
>>>>>  init_exec(sysadm_t)
>>>>> +init_stream_connect(sysadm_t)
>>>>
>>>> Is this on an upstart system?  If so these two rules should probably
>>>> turn into init_telinit() and also that interface updated to handle
>>>> stream sockets.
>>>
>>> I confirm it's an upstart system. At the moment I can't check about the
>>> interface that you suggest to use. If it is equivalent, then that's
>>> fine. Is it a way to compact things ?
>>
>> Its not completely identical, as init_telinit() uses datagram sockets,
>> and this has stream sockets.  But init_telinit() may need to be updated
>> if upstart changed its socket type.
>>
>>> Do you think we should use the upstart boolean here ?
>>
>> No, its in the init_telinit() interface.
> 
> That's fine to me, good idea ! As soon as you commit, I will test.

I think you misunderstand.  I'm not going to commit it until you can
confirm this is telinit (which also happens when you run shutdown).

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com