On Fri, 2008-02-15 at 10:36 -0600, Jeremiah Jahn wrote: > Since I'm working with the source, Would it be effective for me to go > through and remove the sysadm rules that allow it to futz w/ the > policies? Sure, if you're willing to change the base policy then you can get it all done. > On Fri, 2008-02-15 at 11:23 -0500, Christopher J. PeBenito wrote: > > On Fri, 2008-02-15 at 10:14 -0600, Jeremiah Jahn wrote: > > > true, but I thought there was a tunable/boolean the disabled all that > > > for sysadm > > > > No, there isn't. It suffers the problems I discussed below. > > > > > On Fri, 2008-02-15 at 11:09 -0500, Christopher J. PeBenito wrote: > > > > On Fri, 2008-02-15 at 10:09 -0600, Jeremiah Jahn wrote: > > > > > So for my purposes, to would probably be best to just make a secadm > > > > > user/role and add follow most of the interface for the original secadm > > > > > role? > > > > > > > > You could do that, but it wouldn't stop sysadm from being able to do all > > > > the secadm things too, defeating the purpose of having a secadm in the > > > > first place :) > > > > > > > > > On Fri, 2008-02-15 at 10:39 -0500, Christopher J. PeBenito wrote: > > > > > > On Fri, 2008-02-15 at 10:16 -0500, Stephen Smalley wrote: > > > > > > > On Fri, 2008-02-15 at 09:09 -0600, Jeremiah Jahn wrote: > > > > > > > > So if I change my build.conf to be mls I should be up and running. I'm > > > > > > > > on RHEL5 btw > > > > > > > > > > > > > > Chris - how hard would it be to make this a separate tunable so that > > > > > > > people who want a separate security admin can turn that on without > > > > > > > enabling MLS? > > > > > > > > > > > > Problematic. The security admin pieces are nicely abstracted into an > > > > > > interface. However, the problem is that it has some typeattribute > > > > > > statements, so we can't put that in a conditional. > > > > > > > > > > > > There are two things that will eventually make this possible. The plan > > > > > > is to move roles into their own modules, and at that point you should be > > > > > > able to just insert the secadm module. > > > > > > > > > > > > > > On Fri, 2008-02-15 at 08:55 -0500, Paul Moore wrote: > > > > > > > > > On Thursday 14 February 2008 6:09:43 pm Jeremiah Jahn wrote: > > > > > > > > > > I see a number of places where the secadm_r role shows up, but It > > > > > > > > > > doesn't show up in the list of users and what not, Is there something > > > > > > > > > > simple I need to enable it, or do I need to build it from scratch? > > > > > > > > > > My goal it to have sysadm not able to modify policy enforcement, and > > > > > > > > > > my secadm not be able to do anything but. If there is a standard way > > > > > > > > > > to do this, I'd love to know. > > > > > > > > > > > > > > > > > > I believe the secadm_r role is only defined for the "mls" policy builds; > > > > > > > > > if you are running a "mcs" (the Fedora default) policy I don't think > > > > > > > > > the secadm_r role is present. > > > > > > > > > > > > > > > > > Boy, n.: A noise with dirt on it. > > > > > "Consequences, Schmonsequences, as long as I'm rich." -- "Ali Baba > > > > > Bunny" [1957, Chuck Jones] > > > First Law of Bicycling: No matter which way you ride, it's uphill and > > > against the wind. > San Francisco, n.: Marcel Proust editing an issue of Penthouse. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
