On Wed, 2011-08-31 at 19:03 +0100, Roy Badami wrote: > If the allow_sysadm_manage_security boolean was implemented in this > policy then I could simply set that to 'off'. Given it's not - > what's the best way to grant this permission to secadm_r only? > Presumably I want to set secure_mode_loadpolicy to 'on' as now so that > the shipped policy doesn't give permissions, and then load some custom > TE rules to add the necessary permissions for secadm_r to administer > security policy? I think that would work and avoid the need to modify/rebuild the existing policy. However, be aware that the sysadm vs secadm distinction is largely illusory even if you do this. See this thread for further discussion: http://marc.info/?t=105457894700002&r=1&w=2 -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
