I think that would work and avoid the need to modify/rebuild the existing policy. However, be aware that the sysadm vs secadm distinction is largely illusory even if you do this. See this thread for further discussion: http://marc.info/?t=105457894700002&r=1&w=2
Any idea what it is that gives sysadm_t write access to selinux_config_t:file ?
I can see the rule when I opne the binary policy in apol but I haven't had much luck tracking down where it comes from in the policy source.
-- Roy Badami Roboreus Ltd 1 New Oxford Street London WC1A 1NU -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
