Bug 218554 - LSPP: SELinux MLS policy requires admin role separation boolean
Summary: LSPP: SELinux MLS policy requires admin role separation boolean
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-12-05 23:25 UTC by George C. Wilson
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

Fixed In Version: RC
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-02-08 01:24:08 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description George C. Wilson 2006-12-05 23:25:46 UTC
Description of problem:

During the last Monday LSPP call, it was decided that the certified
configuration should have a boolean to control admin role separation. This bug
exists to track that requirement. A bug fix to the existing MLS policy is required.

Version-Release number of selected component (if applicable):

selinux-policy-mls-2.4.3-8.el5

How reproducible:

Create users assosiated with SELinux users that are in turn associated with
SELinux roles.  The separation between the roles is fixed without modifying the
rebuilding the policy.

Actual results:

sysadm_r and secadm_r are separated with no control over the separation without
modifying policy.

Expected results:

sysadm_r should be all powerful when a yet-to-be-added SELinux boolean is set to
true. The lone exception might be that auditadm_r should be the only audit.log
writer.

Comment 1 Daniel Walsh 2006-12-06 18:54:45 UTC
Fixed in selinux-policy-2.4.6-6

Comment 2 Daniel Walsh 2006-12-08 16:58:11 UTC
BTW, the boolean is not in place to allow you to run either way.  With the
current SELinux toolchain, you are not allowed to have a typeattribute within a
boolean/tunable.  This is supposed to change sometime next year.  So for now I
have this commented out.

Comment 3 Jay Turner 2007-01-11 03:48:54 UTC
QE ack for RHEL5.

Comment 4 RHEL Program Management 2007-02-08 01:24:08 UTC
A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.



Note You need to log in before you can comment on or make changes to this bug.