From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 01 Mar 2011 14:16:41 -0500
Subject: [refpolicy] [PATCH 9/34]: patch for logging in the sysadm role
In-Reply-To: <1298489333.22930.14.camel@tesla.lan>
References: <1297836459.3205.45.camel@tesla.lan>	 <4D65176A.3050008@tresys.com>
	<1298489333.22930.14.camel@tesla.lan>
Message-ID: <4D6D4619.8030303@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/23/11 14:28, Guido Trentalancia wrote:
> On Wed, 23/02/2011 at 09.19 -0500, Christopher J. PeBenito wrote:
>> On 02/16/11 01:07, Guido Trentalancia wrote:
>>> This patch adds some permissions (through interface calls) needed
>>> by the sysadm role (in particular logging permissions).
>>>
>>> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te
>>> --- refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te	2011-01-08 19:07:21.214736932 +0100
>>> +++ refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te	2011-02-15 23:10:39.681408593 +0100
>>> @@ -34,6 +34,10 @@ ubac_file_exempt(sysadm_t)
>>>  ubac_fd_exempt(sysadm_t)
>>>  
>>>  init_exec(sysadm_t)
>>> +init_stream_connect(sysadm_t)
>>
>> Is this on an upstart system?  If so these two rules should probably
>> turn into init_telinit() and also that interface updated to handle
>> stream sockets.
> 
> I confirm it's an upstart system. At the moment I can't check about the
> interface that you suggest to use. If it is equivalent, then that's
> fine. Is it a way to compact things ?

Its not completely identical, as init_telinit() uses datagram sockets,
and this has stream sockets.  But init_telinit() may need to be updated
if upstart changed its socket type.

> Do you think we should use the upstart boolean here ?

No, its in the init_telinit() interface.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com