[redhat-lspp] Re: sysadm vs. secadm powers
Daniel J Walsh
dwalsh at redhat.com
Mon Feb 12 17:03:11 UTC 2007
Linda Knippers wrote:
> Klaus Weidner wrote:
>
>> On Wed, Feb 07, 2007 at 10:45:41PM -0200, Klaus Heinrich Kiwi wrote:
>>
>>
>>> Now that sysadm_r/sysadm_t has supehuman powers, I just wanted to confirm if
>>> the following is expected and in conformance with the ToE:
>>>
>>> role/type | read | write to | run | start/stop
>>> | auditd.log | auditd.log | auditctl | auditd
>>> sysadm | yes | yes | no | yes
>>> secadm | yes | *no* | no | no
>>> auditadm | *no* | no | yes | *yes*
>>>
>>
Auditadm can read the auditd.log and write it but needs to be logged in
at SystemHigh to be able to do it.
>> I'd expect auditadm to be able to read and write the audit log, is the
>> current behavior intentional?
>>
>
> I think it was intentional. I think its been that way since the role was
> created. Folks wanted a role that could manage the audit system but
> not necessary look at the information, if I recall.
>
> -- ljk
>
> --
> redhat-lspp mailing list
> redhat-lspp at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-lspp
>
More information about the redhat-lspp
mailing list