[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Fwd: Re: Not good]

--- Begin Message --- Gene Czarcinski wrote:

On Tuesday 06 April 2004 11:01, Daniel J Walsh wrote:

This has been updated for policy-1.9.2-13 (Available on people). This is being governed by the
user_canbe_sysadm tunable. If you turn this off only staff_u would be
able to do it.

Normal users running checkpolicy would still require the can_setenforce
and maybe some other privs.

If I understand what you are saying -- there are some "knobs" that can be turned and "switches" that can be set to limit which users will be able to build a policy rpm (or any rpm for that matter). However, the current settings are "wide open" and anyone can do it ... or at least it looks like that since I just built the policy rpms as a regular user (true it was 1.9.2-12 since you did not put the src.rpm on people).


Yes you can build all the RPMS you want but you can not install them.

Currently there is no difference between user_u and staff_u, you can change them to be
different and lower the privs of user_u by turning off the user_canbe_sysadm tunable.
Which will eliminate things like consolehelper, su and read policy_config from working
for a normal user. Look in tunables.te file. This will eventually have a GUI wrapper
that will allow admins select their level of security.

I would not say they are "wide open". They are more relaxed then you would want in a
top security environment. What I run on my laptop, needs to be more relaxed then what I run
on my companies web-site. You would use tunables to adjust that.

--- End Message ---

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]