Bug 218554 - LSPP: SELinux MLS policy requires admin role separation boolean
LSPP: SELinux MLS policy requires admin role separation boolean
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-12-05 18:25 EST by George C. Wilson
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version: RC
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-07 20:24:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description George C. Wilson 2006-12-05 18:25:46 EST
Description of problem:

During the last Monday LSPP call, it was decided that the certified
configuration should have a boolean to control admin role separation. This bug
exists to track that requirement. A bug fix to the existing MLS policy is required.

Version-Release number of selected component (if applicable):

selinux-policy-mls-2.4.3-8.el5

How reproducible:

Create users assosiated with SELinux users that are in turn associated with
SELinux roles.  The separation between the roles is fixed without modifying the
rebuilding the policy.

Actual results:

sysadm_r and secadm_r are separated with no control over the separation without
modifying policy.

Expected results:

sysadm_r should be all powerful when a yet-to-be-added SELinux boolean is set to
true. The lone exception might be that auditadm_r should be the only audit.log
writer.
Comment 1 Daniel Walsh 2006-12-06 13:54:45 EST
Fixed in selinux-policy-2.4.6-6
Comment 2 Daniel Walsh 2006-12-08 11:58:11 EST
BTW, the boolean is not in place to allow you to run either way.  With the
current SELinux toolchain, you are not allowed to have a typeattribute within a
boolean/tunable.  This is supposed to change sometime next year.  So for now I
have this commented out.
Comment 3 Jay Turner 2007-01-10 22:48:54 EST
QE ack for RHEL5.
Comment 4 RHEL Product and Program Management 2007-02-07 20:24:08 EST
A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.

Note You need to log in before you can comment on or make changes to this bug.