From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 23 Feb 2011 09:19:22 -0500
Subject: [refpolicy] [PATCH 9/34]: patch for logging in the sysadm role
In-Reply-To: <1297836459.3205.45.camel@tesla.lan>
References: <1297836459.3205.45.camel@tesla.lan>
Message-ID: <4D65176A.3050008@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/16/11 01:07, Guido Trentalancia wrote:
> This patch adds some permissions (through interface calls) needed
> by the sysadm role (in particular logging permissions).
> 
> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te
> --- refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te	2011-01-08 19:07:21.214736932 +0100
> +++ refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te	2011-02-15 23:10:39.681408593 +0100
> @@ -34,6 +34,10 @@ ubac_file_exempt(sysadm_t)
>  ubac_fd_exempt(sysadm_t)
>  
>  init_exec(sysadm_t)
> +init_stream_connect(sysadm_t)

Is this on an upstart system?  If so these two rules should probably
turn into init_telinit() and also that interface updated to handle
stream sockets.

> +logging_send_audit_msgs(sysadm_t)

Why is this necessary?

> +logging_set_tty_audit(sysadm_t)
>  
>  # Add/remove user home directories
>  userdom_manage_user_home_dirs(sysadm_t)

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com