From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 17 Jul 2015 08:11:35 -0400 Subject: [refpolicy] Calling _run() inside _admin() interfaces In-Reply-To: <20150716134416.GA30747@meriadoc.Home> References: <20150716134416.GA30747@meriadoc.Home> Message-ID: <55A8F0F7.4030802@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 7/16/2015 9:44 AM, Jason Zaman wrote: > There are quite a few modules that call foo_run() or foo_exec() inside > their admin interface. Previously some were removed because they caused > problems if both the _admin and _run interface are added to a role but > some still remain. > > In the previous patch [1] that added all the rest of the admin > interfaces, some new things now have a transition in _run. eg, > rsync_admin was added which currently calls rsync_run, so sysadm using > rsync has a transition when previously it did not. > > Should I send a patch to remove them? and if yes, remove all or remove > only the _run and leave the _exec? > > Also do you want a patch to add the removed interfaces back to sysadm.te > directly? Or only add the ones that were there before patch [1]? I think that in general, the concept for admin interfaces can include the run calls, assuming it is needed to perform the admin tasks. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com