From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 3 Dec 2014 08:18:46 -0500
Subject: [refpolicy] [PATCH] Add all the missing _admin interfaces to
 sysadm
In-Reply-To: <1417609724-28437-1-git-send-email-jason@perfinion.com>
References: <1417609724-28437-1-git-send-email-jason@perfinion.com>
Message-ID: <547F0DB6.2060501@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/3/2014 7:28 AM, Jason Zaman wrote:
> Lots of the foo_admin() interfaces were not applied to sysadm. This
> patch adds all the ones that were missing. Interfaces are added together
> with the matching _role() interface if it was already present.
> 
> Make all && make validate passes, but anyone else that can run any test
> suites on this would be appreciated too.

I'm not opposed to this change, but I wonder about cases like these:

> +
> +optional_policy(`
> +	asterisk_admin(sysadm_t, sysadm_r)
>  	asterisk_stream_connect(sysadm_t)
>  ')

>  optional_policy(`
> +	bacula_admin(sysadm_t, sysadm_r)
>  	bacula_run_admin(sysadm_t, sysadm_r)
>  ')

Since I would assume that the admin interface would already include the
existing rule.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com