[From nobody Sun Jan 10 02:01:55 2010 Message-ID: <4072EF13.3040707@redhat.com> Date: Tue, 06 Apr 2004 13:55:31 -0400 From: Daniel J Walsh <dwalsh@redhat.com> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040312 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Gene Czarcinski <gene@czarc.net> Subject: Re: Not good References: <200404011728.15051.gene@czarc.net> <4072AD6B.1090207@tresys.com> <4072C658.2090803@redhat.com> <200404061238.46084.gene@czarc.net> In-Reply-To: <200404061238.46084.gene@czarc.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Gene Czarcinski wrote: >On Tuesday 06 April 2004 11:01, Daniel J Walsh wrote: > > >> This has been updated for policy-1.9.2-13 >>(Available on people). This is being governed by the >>user_canbe_sysadm tunable. If you turn this off only staff_u would be >>able to do it. >> >>Normal users running checkpolicy would still require the can_setenforce >>and maybe some other privs. >> >> > >If I understand what you are saying -- there are some "knobs" that can be >turned and "switches" that can be set to limit which users will be able to >build a policy rpm (or any rpm for that matter). However, the current >settings are "wide open" and anyone can do it ... or at least it looks like >that since I just built the policy rpms as a regular user (true it was >1.9.2-12 since you did not put the src.rpm on people). > >Gene > > > Yes you can build all the RPMS you want but you can not install them. Currently there is no difference between user_u and staff_u, you can change them to be different and lower the privs of user_u by turning off the user_canbe_sysadm tunable. Which will eliminate things like consolehelper, su and read policy_config from working for a normal user. Look in tunables.te file. This will eventually have a GUI wrapper that will allow admins select their level of security. I would not say they are "wide open". They are more relaxed then you would want in a top security environment. What I run on my laptop, needs to be more relaxed then what I run on my companies web-site. You would use tunables to adjust that. ]