From: dac.override@gmail.com (Dominick Grift)
Date: Wed, 03 Dec 2014 15:27:27 +0100
Subject: [refpolicy] [PATCH] Add all the missing _admin interfaces to
 sysadm
In-Reply-To: <547F168F.2000109@tresys.com>
References: <1417609724-28437-1-git-send-email-jason@perfinion.com>
	<547F0DB6.2060501@tresys.com> <20141203134221.GA20778@meriadoc.Home>
	<547F168F.2000109@tresys.com>
Message-ID: <1417616847.29096.1.camel@joe.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 2014-12-03 at 08:56 -0500, Christopher J. PeBenito wrote:
> On 12/3/2014 8:42 AM, Jason Zaman wrote:
> > On Wed, Dec 03, 2014 at 08:18:46AM -0500, Christopher J. PeBenito wrote:
> >> On 12/3/2014 7:28 AM, Jason Zaman wrote:
> >>> Lots of the foo_admin() interfaces were not applied to sysadm. This
> >>> patch adds all the ones that were missing. Interfaces are added together
> >>> with the matching _role() interface if it was already present.
> >>>
> >>> Make all && make validate passes, but anyone else that can run any test
> >>> suites on this would be appreciated too.
> >>
> >> I'm not opposed to this change, but I wonder about cases like these:
> >>
> >>> +
> >>> +optional_policy(`
> >>> +	asterisk_admin(sysadm_t, sysadm_r)
> >>>  	asterisk_stream_connect(sysadm_t)
> >>>  ')
> >>
> >>>  optional_policy(`
> >>> +	bacula_admin(sysadm_t, sysadm_r)
> >>>  	bacula_run_admin(sysadm_t, sysadm_r)
> >>>  ')
> >>
> >> Since I would assume that the admin interface would already include the
> >> existing rule.
> > 
> > Bacula_admin does indeed call _run_admin so i'll take that away,
> > asterisk does not call _stream_connect so that one is correct. I will
> 
> I think there is still the question, should the stream connect be added
> to the admin interface?
> 

I would argue, no

The application use to stream connect should instead be confined and
_admin should run that application with a domain transition instead