[redhat-lspp] Administrative Roles
Daniel J Walsh
dwalsh at redhat.com
Fri Apr 28 21:45:05 UTC 2006
Michael C Thompson wrote:
> Michael C Thompson wrote:
>> Hey all,
>>
>> Right now, we have sysadm_r and secadm_r as our administrative roles.
>> I believe Russel said he had done some work on the policy to add an
>> audit administrator as well, although I'm not able to find it in the
>> latest policy - what's the new name?
>>
>> My question is what are the responsibilities of these 3 adminstrators
>> (assuming 3, are there plans for more?); I would like to know so that
>> I might be able to test this.
>>
>> A breakdown of their responsibilities and the over-lap of those
>> responsibilities would be most helpful.
>
> I just checked, and with policy selinux-policy-mls-2.2.35-2, sysadm_r
> and secadm_r can modify /etc/auditd.conf, /etc/audit.rules,
> /etc/init.d/auditd can read and write these files.
>
secadm should not be able to edit auditd.conf or audit.rules. That is a
bug. I do not know about sysadm
> sysadm_r and secadm_r can not use service auditd X or
> /etc/init.d/auditd X to manipulate the daemon, so that at least is
> good, but neither can auditadm_r.
>
Are you using run_init?
> Wasn't the purpose of auditadm_r to be able to control the daemon and
> modify the config files? I believe it was said on the call that
> sysadm_r and secadm_r should be able to read, but not modify the audit
> config files.
>
Again secadm_r but I am not sure we can easily stop sysadm_r.
> Which of these are bugs, and which are intended?
> Mike
>
> --
> redhat-lspp mailing list
> redhat-lspp at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-lspp
More information about the redhat-lspp
mailing list