218554 – LSPP: SELinux MLS policy requires admin role separation boolean

Bug 218554 - LSPP: SELinux MLS policy requires admin role separation boolean

Summary: LSPP: SELinux MLS policy requires admin role separation boolean

Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy
Sub Component:	(Show other bugs)
Version:	5.0
Hardware:	All Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-12-05 23:25 UTC by George C. Wilson
Modified:	2007-11-30 22:07 UTC (History)
CC List:	2 users (show)
Fixed In Version:	RC
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2007-02-08 01:24:08 UTC
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description George C. Wilson 2006-12-05 23:25:46 UTC

Description of problem:

During the last Monday LSPP call, it was decided that the certified
configuration should have a boolean to control admin role separation. This bug
exists to track that requirement. A bug fix to the existing MLS policy is required.

Version-Release number of selected component (if applicable):

selinux-policy-mls-2.4.3-8.el5

How reproducible:

Create users assosiated with SELinux users that are in turn associated with
SELinux roles.  The separation between the roles is fixed without modifying the
rebuilding the policy.

Actual results:

sysadm_r and secadm_r are separated with no control over the separation without
modifying policy.

Expected results:

sysadm_r should be all powerful when a yet-to-be-added SELinux boolean is set to
true. The lone exception might be that auditadm_r should be the only audit.log
writer.

Comment 1 Daniel Walsh 2006-12-06 18:54:45 UTC

Fixed in selinux-policy-2.4.6-6

Comment 2 Daniel Walsh 2006-12-08 16:58:11 UTC

BTW, the boolean is not in place to allow you to run either way.  With the
current SELinux toolchain, you are not allowed to have a typeattribute within a
boolean/tunable.  This is supposed to change sometime next year.  So for now I
have this commented out.

Comment 3 Jay Turner 2007-01-11 03:48:54 UTC

QE ack for RHEL5.

Comment 4 RHEL Product and Program Management 2007-02-08 01:24:08 UTC

A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.

Note You need to log in before you can comment on or make changes to this bug.