From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>
To: Stephen Smalley <sds@epoch.ncsc.mil>
Cc: Daniel J Walsh <dwalsh@redhat.com>, SE Linux <selinux@tycho.nsa.gov>
Subject: Re: I am attempting to add a secadm_r
Date: Thu, 7 Apr 2005 19:33:07 +0100 [thread overview]
Message-ID: <20050407183307.GA19784@lkcl.net> (raw)
In-Reply-To: <1112895576.27110.86.camel@moss-spartans.epoch.ncsc.mil>
On Thu, Apr 07, 2005 at 01:39:36PM -0400, Stephen Smalley wrote:
> > if secadm could be drastically restricted to pretty much only be
> > able to run policy / labelling selinux command tools - even better.
>
> Problematic at present, given that policy is modified in source form,
> unless you want to require all policy modifications to be done off-line
> and then only allow updated binary policy to be installed by the secadm.
the arrangement that i have is complicated by the fact that
when a new user is added, some additions to about three
policy source files are also required, which defines some new
domains under which the user is exclusively allowed access to
a subdirectory of the transfer area and to that area _alone_.
i am therefore giving serious consideration to writing this as a
script, which the day-to-day operator will be allowed to run (yes,
there could end up being hundreds of new users, each with their own
separate and exclusively accessible transfer area)
and setting up a domain under which this script can be run, and
allowing the operator to run it.
that is the _only_ way that i would normally like policy to
be modifiable on this system - except possibly by sysadm_r.
i could then give serious consideration to allowing staff_r the right
to run this magic script.
... i get the impression that it might be better to have
a sysadm_r role (as it presently is) which is allowed
"EVVERRYTHING", and a second-tier role which is allowed
"everything-sysadm-can-presently-do-except-policy-related-stuff".
l.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2005-04-07 18:27 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-07 15:38 I am attempting to add a secadm_r Daniel J Walsh
2005-04-07 16:46 ` Luke Kenneth Casson Leighton
2005-04-07 17:00 ` Stephen Smalley
2005-04-07 17:45 ` Luke Kenneth Casson Leighton
2005-04-07 17:39 ` Stephen Smalley
2005-04-07 18:33 ` Luke Kenneth Casson Leighton [this message]
2005-04-19 4:43 ` Russell Coker
2005-04-07 16:54 ` Stephen Smalley
2005-04-07 16:55 ` Stephen Smalley
2005-04-07 17:10 ` Stephen Smalley
2005-04-07 19:25 ` Daniel J Walsh
2005-04-07 19:37 ` Stephen Smalley
2005-04-19 4:32 ` Russell Coker
-- strict thread matches above, loose matches on Subject: below --
2005-04-08 0:50 Chad Hanson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050407183307.GA19784@lkcl.net \
--to=lkcl@lkcl.net \
--cc=dwalsh@redhat.com \
--cc=sds@epoch.ncsc.mil \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.