[redhat-lspp] LSPP Development Telecon 04/10/2006 Minutes
Klaus Weidner
klaus at atsec.com
Mon Apr 17 16:18:56 UTC 2006
On Mon, Apr 17, 2006 at 11:06:41AM -0400, Chad Hanson wrote:
> Another thing to remember is that for a certified configuration, no one ever
> logs in directly as root. The scenario is closer to below:
>
> Login in as admin user -> newrole to desired role, su to root as needed
I think this needs to be the other way around; the actions for the three
administrative roles need the traditional "root" privileges as well, so
the process would be something like the following:
- log in using non-root ID which is in the staff_u SELinux user class
- use "su" to switch to root
- use "newrole -r" to switch to the role you want.
I think it would be preferable to specify the role directly when running
"su", currently the context after the "su" is "staff_u:staff_r:staff_t".
Defaulting to sysadm_r would not be good, since the point of this is that
you don't want audadm users to have access to the sysadm role.
-Klaus
More information about the redhat-lspp
mailing list