[redhat-lspp] Re: MLS enforcing PTYs, sshd, and newrole
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Fri Oct 27 15:36:38 UTC 2006
On Fri, 20 Oct 2006 17:00:28 +1000, Russell Coker said:
> On Thursday 19 October 2006 23:21, Daniel J Walsh <dwalsh at redhat.com> wrote:
> > If we then remove -l from newrole we are done?
>
> Why remove it? Why not just cease using it and leave it there for other
> people who have different needs?
I suspect that it wouldn't fly during an eval, because even if unused, it
would be a possible avenue to bypass the evel'ed config. You'd probably
have to add a flag of some sort someplace that said if it was permitted.
(If done inside PAM, having the .so have an option 'allow-dash-l' and
submitting for eval with it not present would probably be OK).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20061027/bb66ef24/attachment.sig>
More information about the redhat-lspp
mailing list