From: jason@perfinion.com (Jason Zaman)
Date: Thu, 16 Jul 2015 17:44:16 +0400
Subject: [refpolicy] Calling _run() inside _admin() interfaces
Message-ID: <20150716134416.GA30747@meriadoc.Home>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

There are quite a few modules that call foo_run() or foo_exec() inside
their admin interface. Previously some were removed because they caused
problems if both the _admin and _run interface are added to a role but
some still remain.

In the previous patch [1] that added all the rest of the admin
interfaces, some new things now have a transition in _run. eg,
rsync_admin was added which currently calls rsync_run, so sysadm using
rsync has a transition when previously it did not.

Should I send a patch to remove them? and if yes, remove all or remove
only the _run and leave the _exec?

Also do you want a patch to add the removed interfaces back to sysadm.te
directly? Or only add the ones that were there before patch [1]?

[1]: http://oss.tresys.com/pipermail/refpolicy/2015-June/007660.html