[redhat-lspp] Re: newrole, UID change, etc
Stephen Smalley
sds at tycho.nsa.gov
Mon Apr 24 20:08:46 UTC 2006
On Sun, 2006-04-23 at 11:45 +1000, Russell Coker wrote:
> I have another idea. If a user is logged in with a context that permits
> changing role to sysadm_r, secadm_r, or auditadm_r then permit them to
> change to UID=0 with authentication against the root account.
>
> That way in the permissive mode and selinux=0 cases newrole would
> effectively be a version of su which can only change to the root
> account. As it would use the same PAM settings as su this would not be
> a problem.
Remind me again why newrole followed by su isn't adequate? I really
don't think we want to re-merge uid changes with context changes.
If we want to permit capability granting w/o uid 0, then that is a
kernel change, not a newrole change.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list