[redhat-lspp] Administrative Roles
Michael C Thompson
thompsmc at us.ibm.com
Thu Apr 27 17:43:32 UTC 2006
Michael C Thompson wrote:
> Hey all,
>
> Right now, we have sysadm_r and secadm_r as our administrative roles. I
> believe Russel said he had done some work on the policy to add an audit
> administrator as well, although I'm not able to find it in the latest
> policy - what's the new name?
>
> My question is what are the responsibilities of these 3 adminstrators
> (assuming 3, are there plans for more?); I would like to know so that I
> might be able to test this.
>
> A breakdown of their responsibilities and the over-lap of those
> responsibilities would be most helpful.
I just checked, and with policy selinux-policy-mls-2.2.35-2, sysadm_r
and secadm_r can modify /etc/auditd.conf, /etc/audit.rules,
/etc/init.d/auditd can read and write these files.
sysadm_r and secadm_r can not use service auditd X or /etc/init.d/auditd
X to manipulate the daemon, so that at least is good, but neither can
auditadm_r.
Wasn't the purpose of auditadm_r to be able to control the daemon and
modify the config files? I believe it was said on the call that sysadm_r
and secadm_r should be able to read, but not modify the audit config files.
Which of these are bugs, and which are intended?
Mike
More information about the redhat-lspp
mailing list