From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 3 Dec 2014 08:56:31 -0500 Subject: [refpolicy] [PATCH] Add all the missing _admin interfaces to sysadm In-Reply-To: <20141203134221.GA20778@meriadoc.Home> References: <1417609724-28437-1-git-send-email-jason@perfinion.com> <547F0DB6.2060501@tresys.com> <20141203134221.GA20778@meriadoc.Home> Message-ID: <547F168F.2000109@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/3/2014 8:42 AM, Jason Zaman wrote: > On Wed, Dec 03, 2014 at 08:18:46AM -0500, Christopher J. PeBenito wrote: >> On 12/3/2014 7:28 AM, Jason Zaman wrote: >>> Lots of the foo_admin() interfaces were not applied to sysadm. This >>> patch adds all the ones that were missing. Interfaces are added together >>> with the matching _role() interface if it was already present. >>> >>> Make all && make validate passes, but anyone else that can run any test >>> suites on this would be appreciated too. >> >> I'm not opposed to this change, but I wonder about cases like these: >> >>> + >>> +optional_policy(` >>> + asterisk_admin(sysadm_t, sysadm_r) >>> asterisk_stream_connect(sysadm_t) >>> ') >> >>> optional_policy(` >>> + bacula_admin(sysadm_t, sysadm_r) >>> bacula_run_admin(sysadm_t, sysadm_r) >>> ') >> >> Since I would assume that the admin interface would already include the >> existing rule. > > Bacula_admin does indeed call _run_admin so i'll take that away, > asterisk does not call _stream_connect so that one is correct. I will I think there is still the question, should the stream connect be added to the admin interface? > fix up all the others like this in the patch and send again. > > Could you perhaps also shed some light on: > > optional_policy(` > + apache_admin(sysadm_t, sysadm_r) > apache_run_helper(sysadm_t, sysadm_r) > #apache_run_all_scripts(sysadm_t, sysadm_r) > #apache_domtrans_sys_script(sysadm_t) > apache_role(sysadm_r, sysadm_t) > ') > > It looks like _admin calls _run_helper so that can be removed no > problem. Why are the other ones commented out? should i remove the > comments to clean it up in v2 of the patch then? >From what I can tell from git blame, those have been commented out since at least mid 2008, so they can be removed. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com