[redhat-lspp] LSPP Development Telecon 04/10/2006 Minutes
Klaus Weidner
klaus at atsec.com
Tue Apr 18 16:27:57 UTC 2006
On Tue, Apr 18, 2006 at 09:04:53AM -0400, Stephen Smalley wrote:
> On Tue, 2006-04-18 at 07:28 +1000, Russell Coker wrote:
> > I'll work on this and send some code to the list if my tests show it as
> > viable.
>
> Rationale? We just got done reverting pam_selinux from su and friends;
> why do we want to put su-like functionality into newrole? Sounds like a
> regression to me...
Mainly because the current two-step process (su+newrole) is confusing and
annoying. After a "su", you end up with a context (staff_u:staff_r) that
isn't suitable for administrative tasks.
If I understood the issue correctly, it's currently not cleanly possible
to restrict administrative users to specific roles (sysadm, secadm,
audadm), and the preferred behavior would be to run a single command (and
authenticate once) to enter the default role, and extra steps or
arguments would only be needed for switching between multiple permitted
roles.
-Klaus
More information about the redhat-lspp
mailing list