[FEDORA] Re: Allowing a user administrative tasks without roots password

Daniel Wittenberg daniel-wittenberg at starken.com
Tue Oct 14 15:55:55 UTC 2003


Speaking of SELinux, how hard is it to apply the SELinux patches to
Fedora?  Since I have to do this in an automated, easy setup, doing
individual kernel builds is not an option, so RPM's against the kernel
and/or new userland tools is a must.

Dan

On Tue, 2003-10-14 at 10:22, Stephen Smalley wrote:
> On Tue, 2003-10-14 at 03:55, Louis Garcia wrote:
> > I was wondering if it was possible to create a root like account but
> > having it locked. This way you can control who has access to what
> > without having to give up roots password.
> > 
> > Lets say you allow users to change the clock. They call up the Date &
> > Time capplet but instead of giving roots password they give this new
> > account password. So now a user can modify the time but not be able to
> > log in as root and do horrible thinks.
> > 
> > Is this doable, or is more complicated? Maybe ACL would be better for
> > this.
> 
> SELinux can support this based on the user's role.  Dan Walsh has an
> experimental patched userhelper for SELinux that makes use of this
> ability to avoid requiring the root password to run the configuration
> tools, and just relies on the user role authorizations.  Work still
> needs to be done on the policy to provide a reasonable set of
> administrative roles.
>  
-- 
=============================
Daniel Wittenberg
RHCE+AS/IBM Certified Specialist
President/CTO
The Starken Group
http://www.starken.com





More information about the fedora-test-list mailing list