[redhat-lspp] Re: newrole, UID change, etc
Russell Coker
rcoker at redhat.com
Mon Apr 24 21:28:56 UTC 2006
On Mon, 2006-04-24 at 16:08 -0400, Stephen Smalley wrote:
> On Sun, 2006-04-23 at 11:45 +1000, Russell Coker wrote:
> > I have another idea. If a user is logged in with a context that permits
> > changing role to sysadm_r, secadm_r, or auditadm_r then permit them to
> > change to UID=0 with authentication against the root account.
> >
> > That way in the permissive mode and selinux=0 cases newrole would
> > effectively be a version of su which can only change to the root
> > account. As it would use the same PAM settings as su this would not be
> > a problem.
>
> Remind me again why newrole followed by su isn't adequate? I really
> don't think we want to re-merge uid changes with context changes.
The effort and inconvenience of running the extra command with the extra
authentication step.
If we aren't going to support changing UID and role at the same time
then IMHO the only viable alternative is to have multiple accounts with
UID==0, which is a gross hack.
Did this get discussed in the conference call? I joined late...
More information about the redhat-lspp
mailing list