From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Tue, 27 Sep 2011 18:39:12 +0200
Subject: [refpolicy] [PATCH 1/2] Asterisk admin must be able to run
 'asterisk -r'
In-Reply-To: <1317068586.2861.11.camel@x220.mydomain.internal>
References: <20110926195542.GA15513@siphos.be>
	<20110926195713.GB15513@siphos.be>
	<1317068586.2861.11.camel@x220.mydomain.internal>
Message-ID: <20110927163911.GB17946@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, Sep 26, 2011 at 10:23:06PM +0200, Dominick Grift wrote:
> In theory looks good but i wonder if this will work in practice since
> you may have tested it with sysadm_t that is not a good representation
> of reality. These admin interfaces shouldnt be called by sysadm_t, they
> should instead be used with userdom_base_user_template.

I agree that role support here is important, but what is the rule when to
add things to sysadm_t and when not? It also holds the apache_role...

Wkr,
	Sven Vermeulen