[redhat-lspp] Re: sysadm vs. secadm powers

Fri Feb 9 22:53:36 UTC 2007

Klaus Weidner wrote:
> On Wed, Feb 07, 2007 at 10:45:41PM -0200, Klaus Heinrich Kiwi wrote:
> 
>>Now that sysadm_r/sysadm_t has supehuman powers, I just wanted to confirm if
>>the following is expected and in conformance with the ToE:
>>
>>role/type       |      read     |    write to   |      run      | start/stop
>>                |   auditd.log  |   auditd.log  |    auditctl   | auditd
>>sysadm          |       yes     |       yes     |       no      | yes
>>secadm          |       yes     |       *no*    |       no      | no
>>auditadm        |       *no*    |       no      |       yes     | *yes*
> 
> 
> I'd expect auditadm to be able to read and write the audit log, is the
> current behavior intentional?

I think it was intentional.  I think its been that way since the role was
created.  Folks wanted a role that could manage the audit system but
not necessary look at the information, if I recall.

-- ljk