[redhat-lspp] Re: [PATCH 2/3] Re: MLS enforcing PTYs, sshd, and newrole
Klaus Weidner
klaus at atsec.com
Fri Jan 5 03:33:11 UTC 2007
On Thu, Jan 04, 2007 at 10:05:57PM -0500, Joshua Brindle wrote:
> Hardcoding types into code makes it inflexible to policy changes, this
> is a bad idea IMO, the tty whitelist, however, is probably the way to
> go. I don't know if we should use the existing /etc/securetty or add
> our own file though.
I'm not sure if the existing /etc/securetty is the right one, since
people may make serial terminals available to users but would not want
direct root login on those. Well, maybe not terribly likely these days.
Instead of hardcoded types, how about a configurable type or a
/etc/securettytypes file that contains the types instead of tty names?
-Klaus
More information about the redhat-lspp
mailing list