On Fri, Sep 02, 2011 at 02:49:26PM +0100, Roy Badami wrote: > > >>Any idea what it is that gives sysadm_t write access to selinux_config_t:file ? > >> > >>I can see the rule when I opne the binary policy in apol but I haven't had much luck tracking down where it comes from in the policy source. > >The auth_manage_all_files_except_shadow() call in userdom_admin_user_template(). > > > > Ah, thank you! I would never have found that on my own, given the > number of macros and attributes that everything indirects through! > > So I'm beginning to realise that sysadm_r is probably the wrong > starting point for me. I think what I really want to be doing is > probably creating a new 'limited admin' role (perhaps based on > staff_r) and adding in only those permissions the role actually > needs. You could create a new role based off of the userdom_base_user_template, and then map this newly created role to the staff_u user. So that staff_u can newrole to the "new role". Then just tailor the role to your requirements. A key property of the "base_user_template" is that this is not a login user template. So the role can only be access through newrole/su. The new role cannot interact with user home directories. > > Thanks again, > > roy > > -- > Roy Badami > Roboreus Ltd > 1 New Oxford Street > London WC1A 1NU > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message.
Attachment:
pgp_5Co9ZG8yu.pgp
Description: PGP signature
