From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Tue, 27 Sep 2011 19:28:29 +0200
Subject: [refpolicy] [PATCH 1/2] Asterisk admin must be able to run
 'asterisk -r'
In-Reply-To: <1317142972.2861.77.camel@x220.mydomain.internal>
References: <20110926195542.GA15513@siphos.be>
	<20110926195713.GB15513@siphos.be>
	<1317068586.2861.11.camel@x220.mydomain.internal>
	<20110927163911.GB17946@siphos.be>
	<1317142972.2861.77.camel@x220.mydomain.internal>
Message-ID: <20110927172828.GA20337@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, Sep 27, 2011 at 07:02:52PM +0200, Dominick Grift wrote:
> *_admin() interfaces arent your average roles. (i guess thats why they
> dont call them *_admin_role())

Hmm, okay

[...]
> So, yes roles() should be called in the role layer modules but
> asterisk_admin or any other _admin interface is not such a role. its
> different, its specific to confined root.

Didn't know that, thanks. 

I think it is best to mark the binary as an application_exec_type then as
you suggested, and use the stream connect. I'll have it tested to see if
that works.

Wkr,
	Sven Vermeulen