Any idea what it is that gives sysadm_t write access to selinux_config_t:file ?
I can see the rule when I opne the binary policy in apol but I haven't had much luck tracking down where it comes from in the policy source.
The auth_manage_all_files_except_shadow() call in userdom_admin_user_template().
Ah, thank you! I would never have found that on my own, given the
number of macros and attributes that everything indirects through!
So I'm beginning to realise that sysadm_r is probably the wrong starting
point for me. I think what I really want to be doing is probably
creating a new 'limited admin' role (perhaps based on staff_r) and
adding in only those permissions the role actually needs.
Thanks again,
roy
--
Roy Badami
Roboreus Ltd
1 New Oxford Street
London WC1A 1NU
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
