On Fri, 2008-02-15 at 16:22 -0500, Daniel J Walsh wrote: > <rant> > > > Personally I think sysadm_t is a waste of time. It is a poor mans > unconfined_t and should be eliminated from the face of the earth. All > it does is generate Bugs and avc messages without supplying any real > security. It makes no sense, as a confinement of a root user since it > is so easily gotten around. If you have an administrator of a machine, > that you want to confine, start with only allowing him the privs that > are required to do his job. You can't start by saying he can do > everything except ABC. As long as policy is used in a strict configuration, sysadm will be needed. I would prefer to tighten it up. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
