Daniel J Walsh wrote: > Admin installs a third party app that requires setuid/setgid or some > other priv, now he needs to write policy to transition his staff_t to > thirdparty_t. In my scenario, unconfined_t will be able to run the > third party app, and will be able to becom confinedadmin_t for some sudo > jobs. The admin will have a choice to either write that policy or keep the users unconfined while sacrificing some security (that setuid example AND a lot of others) or to give users two roles for this n that. Isn't this feasible? Michal Svoboda
Attachment:
pgpXhf30tZt3Q.pgp
Description: PGP signature
