[redhat-lspp] Re: Re: sysadm vs. secadm powers
Michael C Thompson
thompsmc at us.ibm.com
Mon Feb 12 23:02:06 UTC 2007
Klaus Heinrich Kiwi wrote:
> <posted & mailed>
>
> Daniel J Walsh wrote:
>
>> Linda Knippers wrote:
>>> Klaus Weidner wrote:
>>>
>>>> On Wed, Feb 07, 2007 at 10:45:41PM -0200, Klaus Heinrich Kiwi wrote:
>>>>
>>>>
>>>>> Now that sysadm_r/sysadm_t has supehuman powers, I just wanted to
>>>>> confirm if the following is expected and in conformance with the ToE:
>>>>>
>>>>> role/type | read | write to | run |
>>>>> start/stop
>>>>> | auditd.log | auditd.log | auditctl | auditd
>>>>> sysadm | yes | yes | no | yes
>>>>> secadm | yes | *no* | no | no
>>>>> auditadm | *no* | no | yes | *yes*
>>>>>
>>>>
>> Auditadm can read the auditd.log and write it but needs to be logged in
>> at SystemHigh to be able to do it.
> Please let me know if I'm doing something wrong:
>
> -bash-3.1# id
> uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),
> (disk),10(wheel) context=staff_u:auditadm_r:auditadm_t:s0-s15:c0.c1023
You need to be SystemHigh-SystemHigh.
Mike
More information about the redhat-lspp
mailing list