--- Begin Message ---
Gene Czarcinski wrote:
On Tuesday 06 April 2004 11:01, Daniel J Walsh wrote:
This has been updated for policy-1.9.2-13
(Available on people). This is being governed by the
user_canbe_sysadm tunable. If you turn this off only staff_u would be
able to do it.
Normal users running checkpolicy would still require the can_setenforce
and maybe some other privs.
If I understand what you are saying -- there are some "knobs" that can be
turned and "switches" that can be set to limit which users will be able to
build a policy rpm (or any rpm for that matter). However, the current
settings are "wide open" and anyone can do it ... or at least it looks like
that since I just built the policy rpms as a regular user (true it was
1.9.2-12 since you did not put the src.rpm on people).
Gene
Yes you can build all the RPMS you want but you can not install them.
Currently there is no difference between user_u and staff_u, you can
change them to be
different and lower the privs of user_u by turning off the
user_canbe_sysadm tunable.
Which will eliminate things like consolehelper, su and read
policy_config from working
for a normal user. Look in tunables.te file. This will eventually have
a GUI wrapper
that will allow admins select their level of security.
I would not say they are "wide open". They are more relaxed then you
would want in a
top security environment. What I run on my laptop, needs to be more
relaxed then what I run
on my companies web-site. You would use tunables to adjust that.
--- End Message ---