From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 3 Dec 2014 08:56:31 -0500
Subject: [refpolicy] [PATCH] Add all the missing _admin interfaces to
 sysadm
In-Reply-To: <20141203134221.GA20778@meriadoc.Home>
References: <1417609724-28437-1-git-send-email-jason@perfinion.com>
	<547F0DB6.2060501@tresys.com>
	<20141203134221.GA20778@meriadoc.Home>
Message-ID: <547F168F.2000109@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/3/2014 8:42 AM, Jason Zaman wrote:
> On Wed, Dec 03, 2014 at 08:18:46AM -0500, Christopher J. PeBenito wrote:
>> On 12/3/2014 7:28 AM, Jason Zaman wrote:
>>> Lots of the foo_admin() interfaces were not applied to sysadm. This
>>> patch adds all the ones that were missing. Interfaces are added together
>>> with the matching _role() interface if it was already present.
>>>
>>> Make all && make validate passes, but anyone else that can run any test
>>> suites on this would be appreciated too.
>>
>> I'm not opposed to this change, but I wonder about cases like these:
>>
>>> +
>>> +optional_policy(`
>>> +	asterisk_admin(sysadm_t, sysadm_r)
>>>  	asterisk_stream_connect(sysadm_t)
>>>  ')
>>
>>>  optional_policy(`
>>> +	bacula_admin(sysadm_t, sysadm_r)
>>>  	bacula_run_admin(sysadm_t, sysadm_r)
>>>  ')
>>
>> Since I would assume that the admin interface would already include the
>> existing rule.
> 
> Bacula_admin does indeed call _run_admin so i'll take that away,
> asterisk does not call _stream_connect so that one is correct. I will

I think there is still the question, should the stream connect be added
to the admin interface?

> fix up all the others like this in the patch and send again.
> 
> Could you perhaps also shed some light on:
> 
>  optional_policy(`
> +       apache_admin(sysadm_t, sysadm_r)
>         apache_run_helper(sysadm_t, sysadm_r)
>         #apache_run_all_scripts(sysadm_t, sysadm_r)
>         #apache_domtrans_sys_script(sysadm_t)
>         apache_role(sysadm_r, sysadm_t)
>  ')
> 
> It looks like _admin calls _run_helper so that can be removed no
> problem. Why are the other ones commented out? should i remove the
> comments to clean it up in v2 of the patch then?

>From what I can tell from git blame, those have been commented out since
at least mid 2008, so they can be removed.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com