On 09/02/11 07:37, Roy Badami wrote: > >> I think that would work and avoid the need to modify/rebuild the >> existing policy. >> >> However, be aware that the sysadm vs secadm distinction is largely >> illusory even if you do this. See this thread for further discussion: >> http://marc.info/?t=105457894700002&r=1&w=2 >> > > Any idea what it is that gives sysadm_t write access to selinux_config_t:file ? > > I can see the rule when I opne the binary policy in apol but I haven't had much luck tracking down where it comes from in the policy source. The auth_manage_all_files_except_shadow() call in userdom_admin_user_template(). -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
