On Tue, Mar 27, 2012 at 05:35:46PM -0400, seth vidal wrote: > On Tue, 27 Mar 2012 17:33:26 -0400 > Konstantin Ryabitsev <icon@xxxxxxxxxxxxxxxxx> wrote: > > > On Tue, 2012-03-27 at 17:17 -0400, seth vidal wrote: > > > And that is the more or less it - does anyone have any > > > suggestions/thoughts? > > > > You don't have to limit yourself to picking between user_u or guest_u. > > You can create another role, such as "fedorauser_u" that is basically > > guest_u, except you can then add specific policies via SELinux roles, > > such as: > > > > irc_role(fedorauser_t, fedorauser_r) > > > > Which should let them run an IRC client such as irsii. > > > > On the other hand, just setting user_u is a good start and a lot less > > work. > > > Except it is more or less where we are now. > > ie: user can run stuff but they cannot put any exec or suid files in > any place they can write. > > The debate is not about whether or not to enable this - it is about > whether we need to allow network connections at all. > > Allowing irc out or ssh tunnels is not significant more safety > over just allowing general network communication, afaict. > I do find it useful to be able to ssh files from fedorapeople to other hosts at times (if I've uploaded them there at one point and then later realize I need them somewhere else as well). Can't think of anything else where I need to initiate a network connection from fedorapeople.org -Toshio
Attachment:
pgpX8FmbWSC7j.pgp
Description: PGP signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
