From: Daniel J Walsh <dwalsh@redhat.com>
To: "Christopher J. PeBenito" <cpebenito@tresys.com>
Cc: Jeremiah Jahn <jeremiah@goodinassociates.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
Paul Moore <paul.moore@hp.com>, selinux <selinux@tycho.nsa.gov>
Subject: Re: secadm/sysadm discussion
Date: Tue, 19 Feb 2008 09:48:34 -0500 [thread overview]
Message-ID: <47BAEC42.60708@redhat.com> (raw)
In-Reply-To: <1203341839.13618.71.camel@gorn>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Christopher J. PeBenito wrote:
> On Fri, 2008-02-15 at 16:22 -0500, Daniel J Walsh wrote:
>> <rant>
>>
>>
>> Personally I think sysadm_t is a waste of time. It is a poor mans
>> unconfined_t and should be eliminated from the face of the earth. All
>> it does is generate Bugs and avc messages without supplying any real
>> security. It makes no sense, as a confinement of a root user since it
>> is so easily gotten around. If you have an administrator of a machine,
>> that you want to confine, start with only allowing him the privs that
>> are required to do his job. You can't start by saying he can do
>> everything except ABC.
>
> As long as policy is used in a strict configuration, sysadm will be
> needed. I would prefer to tighten it up.
>
This is what I question. If you can not define what a strict
configuration is then sysadm_t is useless. And tightening it up a
little does nothing. If sysadm_t can build an install an RPM all bets
are off. If he can format disk, add users, change passwords, run su,
modify sudo, change contents of the homedir of the "sysadm_t" homedir.
Then you can not stop him.
So why carry on the charade that this is useful. I my mind you either
fully trust your admin or you don't. If you don't you need to define
exactly what you want him to be allowed to do, and then write policy for
that. If you can't write policy tight enough to stop him from doing
evil things, then you need to fall back to auditing his every move.
Writing a special mishmash of admin called sysadm is a waste of time.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAke67EIACgkQrlYvE4MpobPtxACePPwf7FQeH+TME/pcZ1SvwRq8
6hYAnR3S1xw8DVjySDuJAMgw6q9bMl1M
=hqGN
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2008-02-19 14:48 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-02-14 23:09 secadm question Jeremiah Jahn
2008-02-15 13:55 ` Paul Moore
2008-02-15 15:09 ` Jeremiah Jahn
2008-02-15 15:16 ` Stephen Smalley
2008-02-15 15:39 ` Christopher J. PeBenito
2008-02-15 16:09 ` Jeremiah Jahn
2008-02-15 16:09 ` Christopher J. PeBenito
2008-02-15 16:14 ` Jeremiah Jahn
2008-02-15 16:23 ` Christopher J. PeBenito
2008-02-15 16:36 ` Jeremiah Jahn
2008-02-15 18:40 ` Christopher J. PeBenito
2008-02-15 21:21 ` secadm/sysadm discussion Daniel J Walsh
2008-02-15 21:22 ` Daniel J Walsh
2008-02-17 11:17 ` Russell Coker
2008-02-18 13:37 ` Christopher J. PeBenito
2008-02-18 17:01 ` Chad Hanson
2008-02-19 14:48 ` Daniel J Walsh [this message]
2008-02-22 14:39 ` Jeremiah Jahn
2008-02-15 15:18 ` secadm question Paul Moore
2008-02-15 15:27 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47BAEC42.60708@redhat.com \
--to=dwalsh@redhat.com \
--cc=cpebenito@tresys.com \
--cc=jeremiah@goodinassociates.com \
--cc=paul.moore@hp.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.