Disabled root - by default; up2date more annoying

Russell Coker russell at coker.com.au
Mon Feb 9 03:26:59 UTC 2004


On Mon, 9 Feb 2004 10:56, Jef Spaleta <jspaleta at princeton.edu> wrote:
> My understanding is that incorporate selinux has a great impact on what
> 'disabling' root looks like.  I'm pretty sure i had a conversation with
> mkj at one point about the selinux implications for the system tools,
> the ones we use userhelper and pam_console to ask root password for.
> I think whatever you wanted to accomplish with sudo, the selinux
> capabilities make possible in a deeper more secure way.

At the moment with SE Linux we are aiming to have things work much the same as 
non-SE machines for a default install, this includes having root:sysadm_r 
logins by default!

The problem is that if we block things using SE Linux which otherwise work 
then many users will just turn off SE Linux to make it work.

If something like disabling root logins is to be done then it has to be done 
without using SE Linux IMHO.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page





More information about the devel mailing list