[redhat-lspp] labeled ipsec policy
Casey Schaufler
casey at schaufler-ca.com
Mon Nov 20 16:34:09 UTC 2006
--- Paul Moore <paul.moore at hp.com> wrote:
> Hmmm, I suspect this will probably be a problem as
> the IPsec management tools
> serve a dual purpose, they control the IPsec
> configuration (sysadm_r) as well
> as the policy relating to labeling SAs (secadm_r).
> I guess we'll just have
> to settle for sysadm_r and deal with the fact that
> sysadm_r is going to have
> some control over the system's security policy in
> this case.
Alternatively, you might consider a separate
network security administrator role that is
associated with those tools. It might be better
than giving sysadm_r the additional responsibility.
Casey Schaufler
casey at schaufler-ca.com
More information about the redhat-lspp
mailing list