[redhat-lspp] netlabelctl gets permission denied - possible role mixup
Loulwa Salem
loulwas at us.ibm.com
Wed Mar 21 15:34:16 UTC 2007
Paul Moore wrote:
> On Wednesday, March 21 2007 11:11:25 am Stephen Smalley wrote:
>
>>On Wed, 2007-03-21 at 11:09 -0400, Paul Moore wrote:
>>
>>>On Wednesday, March 21 2007 10:59:10 am Loulwa Salem wrote:
>>>
>>>>Paul Moore wrote:
>>>>
>>>>>I'm not sure this is a bug, unless of course we want sysadm_r to be
>>>>>able to configure NetLabel. Please try running netlabelctl as
>>>>>secadm_r and report the results.
>>>>
>>>>secadm is able to execute netlabelctl. sysadm_r used to be able to run
>>>>it as well. Why was it changed in the first place, and should sysadm_r
>>>>be able to execute it since it is supposed to be a powerful role?
>>>
>>>I don't know why the behavior has changed, The only thing I can think of
>>>that is related is the change made to allow netlabelctl to be executed by
>>>init (patch snippet below). However, from what I can remember the
>>>init_daemon_domain() only added additional permissions ...
>>
>>If it adds a role_transition to system_r (likely, since it now thinks
>>that netlabelctl is a daemon that needs to run in system_r), then that
>>would explain it.
>
>
> All righty, I'll have to take a closer look at the policy and see if there is
> a better interface or set of allow rules to use ... I'm so used to running
> netlabelctl manually via secadm_r I didn't notice this while testing the
> change below.
>
> Unless Dan has any great insight into the best way to solve this I'll work on
> it after lunch.
>
Thanks Paul,
I'll open a bug to track this and copy you and Linda on it.
- Loulwa
More information about the redhat-lspp
mailing list