From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Thu, 9 Aug 2012 20:57:07 +0200 Subject: [refpolicy] How to give _admin rights? In-Reply-To: <5024066B.9080206@redhat.com> References: <20120809183851.GA2643@siphos.be> <5024066B.9080206@redhat.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Aug 9, 2012 8:50 PM, "Daniel J Walsh" wrote: > > Currently all administration I do is handled through the sysadm_r:sysadm_t > > context. As a result, I never needed to explicitly grant an admin interface > > (like nscd_admin) to a specific role. > > > > I'm now trying to allow a role (be it user_r, staff_r or a newly created > > role) to (re)start the NSCD init script (which is labeled > > nscd_initrc_exec_t) so I thought it would be sufficient to just add in: > > nscd_admin(staff_t, staff_r) [... various trials and errors ...] > > > What OS are you seeing this on? This is on Gentoo Hardened. What is the normal approach to take (say on RedHat Enterprise Linux)? If the role/domain has the _admin interface, just "sudo "? Or is there still a need for run_init? >From what I gather from the _admin interfaces, we grant the domain the can_system_change attribute so that the user /can/ transition from (say) staff_u to system_u, but as far as I can see, you need to run the run_init command in order to actually change a SELinux user (or runcon) - there is no way to automatically do that. So I guess I need to call run_init, so that would leave me two options: ~$ run_init /etc/init.d/nscd But in this case, my Linux credentials never become root so it'll fail anyway. ~$ sudo run_init /etc/init.d/nscd But in this case, run_init wants to get the root password (re-authenticate), or do I need to enable pam_rootok.so for this? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20120809/6b307336/attachment.html