From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 3 Dec 2014 08:18:46 -0500 Subject: [refpolicy] [PATCH] Add all the missing _admin interfaces to sysadm In-Reply-To: <1417609724-28437-1-git-send-email-jason@perfinion.com> References: <1417609724-28437-1-git-send-email-jason@perfinion.com> Message-ID: <547F0DB6.2060501@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/3/2014 7:28 AM, Jason Zaman wrote: > Lots of the foo_admin() interfaces were not applied to sysadm. This > patch adds all the ones that were missing. Interfaces are added together > with the matching _role() interface if it was already present. > > Make all && make validate passes, but anyone else that can run any test > suites on this would be appreciated too. I'm not opposed to this change, but I wonder about cases like these: > + > +optional_policy(` > + asterisk_admin(sysadm_t, sysadm_r) > asterisk_stream_connect(sysadm_t) > ') > optional_policy(` > + bacula_admin(sysadm_t, sysadm_r) > bacula_run_admin(sysadm_t, sysadm_r) > ') Since I would assume that the admin interface would already include the existing rule. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com