From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 3 Dec 2014 10:50:34 -0500 Subject: [refpolicy] [PATCH] Add all the missing _admin interfaces to sysadm In-Reply-To: <547F2FF5.1000509@tresys.com> References: <1417609724-28437-1-git-send-email-jason@perfinion.com> <547F0DB6.2060501@tresys.com> <20141203134221.GA20778@meriadoc.Home> <547F168F.2000109@tresys.com> <1417616847.29096.1.camel@joe.localdomain> <547F2FF5.1000509@tresys.com> Message-ID: <547F314A.3070408@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/3/2014 10:44 AM, Christopher J. PeBenito wrote: > On 12/3/2014 10:29 AM, Jason Zaman wrote: >> >> On 3 Dec 2014 18:27, "Dominick Grift" > > wrote: >>> >>> On Wed, 2014-12-03 at 08:56 -0500, Christopher J. PeBenito wrote: >>>> On 12/3/2014 8:42 AM, Jason Zaman wrote: >>>>> On Wed, Dec 03, 2014 at 08:18:46AM -0500, Christopher J. PeBenito >> wrote: >>>>>> On 12/3/2014 7:28 AM, Jason Zaman wrote: >>>>>>> Lots of the foo_admin() interfaces were not applied to sysadm. This >>>>>>> patch adds all the ones that were missing. Interfaces are added >> together >>>>>>> with the matching _role() interface if it was already present. >>>>>>> >>>>>>> Make all && make validate passes, but anyone else that can run >> any test >>>>>>> suites on this would be appreciated too. >>>>>> >>>>>> I'm not opposed to this change, but I wonder about cases like these: >>>>>> >>>>>>> + >>>>>>> +optional_policy(` >>>>>>> + asterisk_admin(sysadm_t, sysadm_r) >>>>>>> asterisk_stream_connect(sysadm_t) >>>>>>> ') >>>> I think there is still the question, should the stream connect be added >>>> to the admin interface? >>>> >>> >>> I would argue, no >>> >>> The application use to stream connect should instead be confined and >>> _admin should run that application with a domain transition instead >>> >> I think admining something and using it are not necessarily the same so >> I agree with Dominick, they should be separate. > > I also agree. The admin interfaces should have all of the rules needed > to admin the service, and that's it. If that socket connect is not > related to an admin function, then it should remain separate. I asked > the question since I was unsure why there was a stream connect. >From the commit, Sven said: >Author: Sven Vermeulen >Date: Mon Oct 3 21:24:38 2011 +0200 > >Allow sysadm to interact with asterisk > >When administering asterisk, one often ran command is "asterisk -r" >which yields the asterisk CLI (when the asterisk server is running). To >be able to run this, you need asterisk_stream_connect privileges. > >Assign these privileges to the sysadm_r Which tells me that the stream connect should be added to the admin interface. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com