[redhat-lspp] Administrative Roles

[Michael C Thompson]

Daniel J Walsh wrote:
> Michael C Thompson wrote:
>> Michael C Thompson wrote:
>>> Hey all,
>>>
>>> Right now, we have sysadm_r and secadm_r as our administrative roles. 
>>> I believe Russel said he had done some work on the policy to add an 
>>> audit administrator as well, although I'm not able to find it in the 
>>> latest policy - what's the new name?
>>>
>>> My question is what are the responsibilities of these 3 adminstrators 
>>> (assuming 3, are there plans for more?); I would like to know so that 
>>> I might be able to test this.
>>>
>>> A breakdown of their responsibilities and the over-lap of those 
>>> responsibilities would be most helpful.
>>
>> I just checked, and with policy selinux-policy-mls-2.2.35-2, sysadm_r 
>> and secadm_r can modify /etc/auditd.conf, /etc/audit.rules, 
>> /etc/init.d/auditd can read and write these files.
>>
> secadm should not be able to edit auditd.conf or audit.rules.  That is a 
> bug.  I do not know about sysadm

Do I need to file a bugzilla? (I'd rather not if I can avoid it). Who 
can answer the sysadm_r question?

>> sysadm_r and secadm_r can not use service auditd X or 
>> /etc/init.d/auditd X to manipulate the daemon, so that at least is 
>> good, but neither can auditadm_r.
>>
> Are you using run_init?

OK, I've never heard of run_init until now... I tried run_init auditd 
status, which failed to do anything useful, it printed a usage message 
saying -f was a valid option. So I tried this, and got locked out of my 
shell...

Why does service auditd status not work?

>> Wasn't the purpose of auditadm_r to be able to control the daemon and 
>> modify the config files? I believe it was said on the call that 
>> sysadm_r and secadm_r should be able to read, but not modify the audit 
>> config files.
>>
> Again secadm_r but I am not sure we can easily stop sysadm_r.

Why can't we easily stop sysadm_r? I'm not familiar enough with the 
policy to answer this myself.

Thanks,
Mike