[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [redhat-lspp] Re: sysadm vs. secadm powers

Linda Knippers wrote:
Klaus Weidner wrote:
On Wed, Feb 07, 2007 at 10:45:41PM -0200, Klaus Heinrich Kiwi wrote:

Now that sysadm_r/sysadm_t has supehuman powers, I just wanted to confirm if
the following is expected and in conformance with the ToE:

role/type       |      read     |    write to   |      run      | start/stop
               |   auditd.log  |   auditd.log  |    auditctl   | auditd
sysadm          |       yes     |       yes     |       no      | yes
secadm          |       yes     |       *no*    |       no      | no
auditadm        |       *no*    |       no      |       yes     | *yes*
Auditadm can read the auditd.log and write it but needs to be logged in at SystemHigh to be able to do it.
I'd expect auditadm to be able to read and write the audit log, is the
current behavior intentional?

I think it was intentional.  I think its been that way since the role was
created.  Folks wanted a role that could manage the audit system but
not necessary look at the information, if I recall.

-- ljk

redhat-lspp mailing list
redhat-lspp redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]