From: guido@trentalancia.com (Guido Trentalancia) Date: Tue, 01 Mar 2011 21:07:19 +0100 Subject: [refpolicy] [PATCH 9/34]: patch for logging in the sysadm role In-Reply-To: <4D6D4619.8030303@tresys.com> References: <1297836459.3205.45.camel@tesla.lan> <4D65176A.3050008@tresys.com> <1298489333.22930.14.camel@tesla.lan> <4D6D4619.8030303@tresys.com> Message-ID: <1299010039.14035.14.camel@tesla.lan> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 01/03/2011 at 14.16 -0500, Christopher J. PeBenito wrote: > On 02/23/11 14:28, Guido Trentalancia wrote: > > On Wed, 23/02/2011 at 09.19 -0500, Christopher J. PeBenito wrote: > >> On 02/16/11 01:07, Guido Trentalancia wrote: > >>> This patch adds some permissions (through interface calls) needed > >>> by the sysadm role (in particular logging permissions). > >>> > >>> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te > >>> --- refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te 2011-01-08 19:07:21.214736932 +0100 > >>> +++ refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te 2011-02-15 23:10:39.681408593 +0100 > >>> @@ -34,6 +34,10 @@ ubac_file_exempt(sysadm_t) > >>> ubac_fd_exempt(sysadm_t) > >>> > >>> init_exec(sysadm_t) > >>> +init_stream_connect(sysadm_t) > >> > >> Is this on an upstart system? If so these two rules should probably > >> turn into init_telinit() and also that interface updated to handle > >> stream sockets. > > > > I confirm it's an upstart system. At the moment I can't check about the > > interface that you suggest to use. If it is equivalent, then that's > > fine. Is it a way to compact things ? > > Its not completely identical, as init_telinit() uses datagram sockets, > and this has stream sockets. But init_telinit() may need to be updated > if upstart changed its socket type. > > > Do you think we should use the upstart boolean here ? > > No, its in the init_telinit() interface. That's fine to me, good idea ! As soon as you commit, I will test. Regards, Guido