On Wed, Oct 11, 2006 at 03:31:22PM -0300, Thiago Jung Bauermann wrote: > On Tuesday 10 October 2006 14:19, Loulwa Salem wrote: > > KW: Earlier I made a proposal to not allow regular users from using > > newrole. I know it is ugly but it is the only solution that I see that > > doesn't have security holes. does anyone have a solution that they have > > tested and are confident in. I think I'll try to do a more detailed write > > up. do we want this on selinux or lspp list? > > When you say that regular users won't be able to run newrole, are you talking > about SELinux users or DAC users? Does it mean that even staff_u won't be > able to use newrole?
I meant DAC users. (As an aside, I think it's very confusing that SELinux reused the term "users" - is it too late to change that to "user class" instead?) > Does that mean that if ssh root logins are disabled, the only way to newrole > is logging in via the machine's console as root? No, after a "su" to root, an admin could still run newrole, both on a local console and in an SSH session. -Klaus -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
