From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 17 Jul 2015 08:11:35 -0400
Subject: [refpolicy] Calling _run() inside _admin() interfaces
In-Reply-To: <20150716134416.GA30747@meriadoc.Home>
References: <20150716134416.GA30747@meriadoc.Home>
Message-ID: <55A8F0F7.4030802@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 7/16/2015 9:44 AM, Jason Zaman wrote:
> There are quite a few modules that call foo_run() or foo_exec() inside
> their admin interface. Previously some were removed because they caused
> problems if both the _admin and _run interface are added to a role but
> some still remain.
> 
> In the previous patch [1] that added all the rest of the admin
> interfaces, some new things now have a transition in _run. eg,
> rsync_admin was added which currently calls rsync_run, so sysadm using
> rsync has a transition when previously it did not.
> 
> Should I send a patch to remove them? and if yes, remove all or remove
> only the _run and leave the _exec?
> 
> Also do you want a patch to add the removed interfaces back to sysadm.te
> directly? Or only add the ones that were there before patch [1]?

I think that in general, the concept for admin interfaces can include
the run calls, assuming it is needed to perform the admin tasks.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com