On Tue, 2012-03-27 at 17:28 -0600, Kevin Fenzi wrote:
> Note that folks who need to sudo need to still be unconfined right?
No, you want them to be staff_u and add the following to your sudoers:
%wheel ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL
This will transition to unconfined upon sudo.
BTW, I just found out that guest_u (and, by extension, my testguest_u)
still allows sshd forwarding -- I guess it's hard to restrict that on
the SELinux level. It can be disallowed in sshd config, though,
including by group:
AllowTcpForwarding no
Match Group wheel
AllowTcpForwarding yes
Best,
--
Konstantin Ryabitsev
Systems Administrator, Kernel.org
Montréal, Québec
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
