On Wed, 2011-08-31 at 14:23 -0400, Stephen Smalley wrote: > On Wed, 2011-08-31 at 19:03 +0100, Roy Badami wrote: > > > If the allow_sysadm_manage_security boolean was implemented in this > > policy then I could simply set that to 'off'. Given it's not - > > what's the best way to grant this permission to secadm_r only? > > Presumably I want to set secure_mode_loadpolicy to 'on' as now so that > > the shipped policy doesn't give permissions, and then load some custom > > TE rules to add the necessary permissions for secadm_r to administer > > security policy? > > I think that would work and avoid the need to modify/rebuild the > existing policy. > > However, be aware that the sysadm vs secadm distinction is largely > illusory even if you do this. See this thread for further discussion: > http://marc.info/?t=105457894700002&r=1&w=2 BTW, if you're looking to further harden your setup, you might want to have a look at CLIP, http://oss.tresys.com/projects/clip -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
