Description of problem: During the last Monday LSPP call, it was decided that the certified configuration should have a boolean to control admin role separation. This bug exists to track that requirement. A bug fix to the existing MLS policy is required. Version-Release number of selected component (if applicable): selinux-policy-mls-2.4.3-8.el5 How reproducible: Create users assosiated with SELinux users that are in turn associated with SELinux roles. The separation between the roles is fixed without modifying the rebuilding the policy. Actual results: sysadm_r and secadm_r are separated with no control over the separation without modifying policy. Expected results: sysadm_r should be all powerful when a yet-to-be-added SELinux boolean is set to true. The lone exception might be that auditadm_r should be the only audit.log writer.
Fixed in selinux-policy-2.4.6-6
BTW, the boolean is not in place to allow you to run either way. With the current SELinux toolchain, you are not allowed to have a typeattribute within a boolean/tunable. This is supposed to change sometime next year. So for now I have this commented out.
QE ack for RHEL5.
A package has been built which should help the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you.