On Wed, 2007-03-21 at 11:09 -0400, Paul Moore wrote: > On Wednesday, March 21 2007 10:59:10 am Loulwa Salem wrote: > > Paul Moore wrote: > > > I'm haven't verified this (I'm at home and don't have an LSPP machine > > > handy) but it was originally the case where you had to be in the secadm_r > > > role to be able to use netlabelctl. Unless Dan/Chris added the > > > netlabel_mgmt_t domain to the sysadm_r role I don't expect you'll be able > > > to run netlabelctl. > > > > At some point I believe it was decided that sysadm_r was going to be the > > powerful user and kinda replace secadm_r. Since then I have been executing > > netlabelctl as sysadm and it's been working just fine. > > > > This was working until before the openssh-18 package that broke logging in > > as sysadm_r and the last policy -38. It stopped working now with the latest > > packages. > > Then I stand corrected, this definitely sounds like a bug and it would > probably be a good idea to file a new BZ for the problem. > > > > I'm not sure this is a bug, unless of course we want sysadm_r to be able > > > to configure NetLabel. Please try running netlabelctl as secadm_r and > > > report the results. > > > > secadm is able to execute netlabelctl. sysadm_r used to be able to run it > > as well. Why was it changed in the first place, and should sysadm_r be able > > to execute it since it is supposed to be a powerful role? > > I don't know why the behavior has changed, The only thing I can think of that > is related is the change made to allow netlabelctl to be executed by init > (patch snippet below). However, from what I can remember the > init_daemon_domain() only added additional permissions ...
If it adds a role_transition to system_r (likely, since it now thinks that netlabelctl is a daemon that needs to run in system_r), then that would explain it. > > Index: refpolicy/policy/modules/system/netlabel.te > =================================================================== > --- refpolicy.orig/policy/modules/system/netlabel.te > +++ refpolicy/policy/modules/system/netlabel.te > @@ -8,8 +8,7 @@ policy_module(netlabel,1.0.0) > > type netlabel_mgmt_t; > type netlabel_mgmt_exec_t; > -domain_type(netlabel_mgmt_t) > -domain_entry_file(netlabel_mgmt_t,netlabel_mgmt_exec_t) > +init_daemon_domain(netlabel_mgmt_t,netlabel_mgmt_exec_t) > -- Stephen Smalley National Security Agency -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
