Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: I am attempting to add a secadm_r
From: Luke Kenneth Casson Leighton <lkcl_at_lkcl.net>
Date: Thu, 7 Apr 2005 17:46:45 +0100
> around this, from sysadm_r. I know that, but when I was at DOD GREAT - if you get this working and can make it "look" like the present method by setting secadm_r as an alias to sysadm_r so it "looks" like sysadm_r has policy modification rights, i would be DELIGHTED. i too have a situation where a day-to-day operator is given _far_ too much rights - including the right to be able to switch off selinux, modify policy etc. this is _way_ too trusting of the day-to-day operator, who otherwise needs root-style access in order to manage files in a special transfer area, and do other things to the box that require root-level privileges (such as adding new user accounts and setting up new file transfer areas) if someone knows of a way to have two logins, one of which requires one password to get to root-with-sysadm_r privileges, and one of which requires a DIFFERENT password to get to root-with-secadm_r privileges, and never the two shall meet, i would be DELIGHTED to hear of such a method. i have a customer in the process of testing the system i have set up for them and i would like to be able to tell them that it is not necessary to hammer into the operator that they must not do things like disable selinux, edit the policy, i want to be able to tell them the operator CANNOT disable selinux, edit the policy - but they can still run adduser. any assistance greatly appreciated. l. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Thu 7 Apr 2005 - 12:39:59 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |