[redhat-lspp] Got up at 5 AM, and thought I would try to write a new role
Stephen John Smoogen
smooge at gmail.com
Fri Jun 16 20:40:35 UTC 2006
On 6/16/06, Daniel J Walsh <dwalsh at redhat.com> wrote:
> Steve Grubb wrote:
> > On Friday 16 June 2006 15:57, Daniel J Walsh wrote:
> >
> >> I wanted to try to create an auditadm_r.
> >>
> >
> > Didn't you mean httpdadm_r :)
> >
> > I think we should bust up the systemadm role a little more and make it
> > composed of some other roles. RBAC says we are supposed to support
> > composition, so we can use it here.
> >
> > Some other roles might be backup admin, db admin. mail admin.
> >
> > -Steve
> >
> backupadm might be pretty tough, since I don't believe we run type
> enforcement on any backup tools
> so you would need to be able to read/write every file on the system, and
> I see little benefit in this.
>
I think for some servers, there is a need to restrict backup
priveledges to certain areas versus the entire system. [Areas being
easier to control security levels with.. but I could see where we
would want at least 4 different backup tools running: Open,
Confidential, Secret, TopSecret..] There might also be needs where
read is ok but write is not unless authorized by a different
mechanism.
Not sure if this needs a seperate backup_adm mode or other mechanisms.
--
Stephen J Smoogen.
CSIRT/Linux System Administrator
More information about the redhat-lspp
mailing list