On Tue, 2012-03-27 at 17:35 -0400, seth vidal wrote: > Except it is more or less where we are now. > > ie: user can run stuff but they cannot put any exec or suid files in > any place they can write. > > The debate is not about whether or not to enable this - it is about > whether we need to allow network connections at all. > > Allowing irc out or ssh tunnels is not significant more safety > over just allowing general network communication, afaict. It's not quite like that. E.g. if we do fedora_u with irc_role(), then the person would be allowed to execute a binary labelled with irc_exec_t, which would then be allowed to connect to IRC ports. Without executing that binary, the user would not be able to connect to IRC ports, so no ssh-forwarding or just "telnet 6667". Let me verify this in my VM, though, before I'm forced to insert my foot into my mouth. :) Best, -- Konstantin Ryabitsev Systems Administrator, Kernel.org Montréal, Québec
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
