On Wed, 2004-10-27 at 14:16, Barry Roomberg wrote: > Either I'm very confused or my system is very broken. > > When I add a new user to my system via the adduser script, they get > tagged > with "Generic" for their policy type. > > When I examine (using seuser -X) the users, I see that all the Generics > (there are a lot) have roles of sysadm_r, system_r, and user_r. > > Which means to me that all these users can assume sysadm_r by executing > the newrole command. > > Is this appropriate? Shouldn't sysadm_r be reserved for administrators? Disable the user_canbe_sysadm tunable in your policy (after authorizing yourself for staff_r), or update to the FC3 policy (even there, it isn't a bad idea to disable that tunable and explicitly authorize people for staff_r). -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
