[redhat-lspp] Administrative Roles
Michael C Thompson
thompsmc at us.ibm.com
Fri Apr 28 22:01:40 UTC 2006
Daniel J Walsh wrote:
> Michael C Thompson wrote:
>> Michael C Thompson wrote:
>>> Hey all,
>>>
>>> Right now, we have sysadm_r and secadm_r as our administrative roles.
>>> I believe Russel said he had done some work on the policy to add an
>>> audit administrator as well, although I'm not able to find it in the
>>> latest policy - what's the new name?
>>>
>>> My question is what are the responsibilities of these 3 adminstrators
>>> (assuming 3, are there plans for more?); I would like to know so that
>>> I might be able to test this.
>>>
>>> A breakdown of their responsibilities and the over-lap of those
>>> responsibilities would be most helpful.
>>
>> I just checked, and with policy selinux-policy-mls-2.2.35-2, sysadm_r
>> and secadm_r can modify /etc/auditd.conf, /etc/audit.rules,
>> /etc/init.d/auditd can read and write these files.
>>
> secadm should not be able to edit auditd.conf or audit.rules. That is a
> bug. I do not know about sysadm
Do I need to file a bugzilla? (I'd rather not if I can avoid it). Who
can answer the sysadm_r question?
>> sysadm_r and secadm_r can not use service auditd X or
>> /etc/init.d/auditd X to manipulate the daemon, so that at least is
>> good, but neither can auditadm_r.
>>
> Are you using run_init?
OK, I've never heard of run_init until now... I tried run_init auditd
status, which failed to do anything useful, it printed a usage message
saying -f was a valid option. So I tried this, and got locked out of my
shell...
Why does service auditd status not work?
>> Wasn't the purpose of auditadm_r to be able to control the daemon and
>> modify the config files? I believe it was said on the call that
>> sysadm_r and secadm_r should be able to read, but not modify the audit
>> config files.
>>
> Again secadm_r but I am not sure we can easily stop sysadm_r.
Why can't we easily stop sysadm_r? I'm not familiar enough with the
policy to answer this myself.
Thanks,
Mike
More information about the redhat-lspp
mailing list