FC5/SELinux: Possibilty to enforce an "second set of eyes" method for admins?
Daniel J Walsh
dwalsh at redhat.com
Fri Jun 9 00:57:03 UTC 2006
Michael Decker wrote:
> Hi!
>
> I wonder, if I can setup this kind of scenario:
> An admin has to change e.g. some SELinux policies. But if an admin can
> change all SELinux policies, he could change his own or others in a way,
> so he can do anything. So a second admin/user has to allow that action.
>
> Is there a way to setup that?
>
> Thanks...
>
>
Not really. If a user can change policy he can pretty much get around
controls. You could
build constraints into the base policy to prevent him from loading
certain kinds of policy, but
it would get very complicated.
Dan
More information about the fedora-selinux-list
mailing list