Red Hat Bugzilla – Bug 218554
LSPP: SELinux MLS policy requires admin role separation boolean
Last modified: 2007-11-30 17:07:38 EST
Description of problem:
During the last Monday LSPP call, it was decided that the certified
configuration should have a boolean to control admin role separation. This bug
exists to track that requirement. A bug fix to the existing MLS policy is required.
Version-Release number of selected component (if applicable):
Create users assosiated with SELinux users that are in turn associated with
SELinux roles. The separation between the roles is fixed without modifying the
rebuilding the policy.
sysadm_r and secadm_r are separated with no control over the separation without
sysadm_r should be all powerful when a yet-to-be-added SELinux boolean is set to
true. The lone exception might be that auditadm_r should be the only audit.log
Fixed in selinux-policy-2.4.6-6
BTW, the boolean is not in place to allow you to run either way. With the
current SELinux toolchain, you are not allowed to have a typeattribute within a
boolean/tunable. This is supposed to change sometime next year. So for now I
have this commented out.
QE ack for RHEL5.
A package has been built which should help the problem described in
this bug report. This report is therefore being closed with a resolution
of CURRENTRELEASE. You may reopen this bug report if the solution does
not work for you.