On Wednesday, March 21 2007 4:21:42 pm Stephen Smalley wrote: > On Wed, 2007-03-21 at 16:13 -0400, Paul Moore wrote: > > This leads me to two questions: > > > > * Why does the 'netlabel_mgmt_t' domain not have write access to the > > 'sysadm_tty_device_t' object when the terminal context should be > > included in the 'admin_terminal' type attribute which is used in the > > call to 'netlabel_run_mgmt()' via 'userdom_security_administrator()' > > for 'sysadm_r'? > > MLS-related denial?
I don't think so as everything in this case should be at SystemLow, however, I'm not seeing any avc denials in the audit logs so I can't say for certain at this point. > > * Why does the 'netlabel_mgmt_t' domain insist on performing a role > > transition to 'system_r'? > > As I understand it, because you declared it as init_daemon_domain(), and > daemon domains get role transitions defined to system_r so that if an > admin or rpm scriptlet starts or restarts a daemon, it moves into the > system_r role rather than staying in sysadm_r. I probably asked the wrong question, what I should have asked is "_Where_ does the 'netlabel_mgmt_t' domain insist on performing a role transition to 'system_r'? I understand it's there somewhere, I just need to find it and I was hoping that someone on this list would know off the top of their head. If not, well, it's a good learning experience :) -- paul moore linux security @ hp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
