I would concur that something like sysadm is needed. But in the current mls/strict configuration sysadm has too much power. The ability to customize roles and there respective powers in a modular manner seems like a good idea. Hopefully this could lead to more directed policy instead of blanket allow rules. These are hard to deal with when people require changes to the default behavior. -Chad > On Fri, 2008-02-15 at 16:22 -0500, Daniel J Walsh wrote: > > <rant> > > > > > > Personally I think sysadm_t is a waste of time. It is a poor mans > > unconfined_t and should be eliminated from the face of the earth. All > > it does is generate Bugs and avc messages without supplying any real > > security. It makes no sense, as a confinement of a root user since it > > is so easily gotten around. If you have an administrator of a machine, > > that you want to confine, start with only allowing him the privs that > > are required to do his job. You can't start by saying he can do > > everything except ABC. > > As long as policy is used in a strict configuration, sysadm will be > needed. I would prefer to tighten it up. > > -- > Chris PeBenito > Tresys Technology, LLC > (410) 290-1411 x150 > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
