Long time lurker, have an issue I'm trying to sort out. I would like to create a
parallel named user to the default sysadm_u and parallel module sysadm_secadm in order to
support different tiers of administrative user. My end goal is to have a minimum of two
"sysadm_u" type roles, one with the sys/sec role removed to prevent unauthorized
policy modification, and one with it implicitly available. For the sake of discussion,
I'll call them restricted_sysadm_u and super_sysadm_u.
My plan is(was?) to dump the current policy, change the name for the target profile of
either restricted_ or super_ remove anything additional I don't wish restricted_ to
perform, add the sysadm_secadm transitions explicitly to super_, and assign them as
appropriate to their respective physical users/automation users. I would then remove the
sysadm_secadm to close to door onto the default ability to modify policy.
I've attempted to extract the CIL policy from the running module and get dozens of
repeated lines in the grants, so I tried to extract the syadm.pp and sysadm_secadm.pp
using semodule -E as HLL and have only been able to get them down as far as the .mod file.
I have sedismod available, but there doesn't seem to be a straight path to dump the
module down to its constituent elements.
Is there an easy way to extract the type enforcement and file contexts from the xyz.mod
Is there an easier way to go about doing this without starting from scratch with a clean
Is there a shortcut I have completely overlooked?
Thanks very much in advance,
Show replies by date