[redhat-lspp] LSPP Development Telecon 10/09/2006 Minutes
Klaus Weidner
klaus at atsec.com
Thu Oct 12 14:53:07 UTC 2006
On Wed, Oct 11, 2006 at 03:31:22PM -0300, Thiago Jung Bauermann wrote:
> On Tuesday 10 October 2006 14:19, Loulwa Salem wrote:
> > KW: Earlier I made a proposal to not allow regular users from using
> > newrole. I know it is ugly but it is the only solution that I see that
> > doesn't have security holes. does anyone have a solution that they have
> > tested and are confident in. I think I'll try to do a more detailed write
> > up. do we want this on selinux or lspp list?
>
> When you say that regular users won't be able to run newrole, are you talking
> about SELinux users or DAC users? Does it mean that even staff_u won't be
> able to use newrole?
I meant DAC users. (As an aside, I think it's very confusing that SELinux
reused the term "users" - is it too late to change that to "user class"
instead?)
> Does that mean that if ssh root logins are disabled, the only way to newrole
> is logging in via the machine's console as root?
No, after a "su" to root, an admin could still run newrole, both on a
local console and in an SSH session.
-Klaus
More information about the redhat-lspp
mailing list