default user context on fedorapeople.org
seth vidal
skvidal at fedoraproject.org
Tue Mar 27 21:35:46 UTC 2012
On Tue, 27 Mar 2012 17:33:26 -0400
Konstantin Ryabitsev <icon at fedoraproject.org> wrote:
> On Tue, 2012-03-27 at 17:17 -0400, seth vidal wrote:
> > And that is the more or less it - does anyone have any
> > suggestions/thoughts?
>
> You don't have to limit yourself to picking between user_u or guest_u.
> You can create another role, such as "fedorauser_u" that is basically
> guest_u, except you can then add specific policies via SELinux roles,
> such as:
>
> irc_role(fedorauser_t, fedorauser_r)
>
> Which should let them run an IRC client such as irsii.
>
> On the other hand, just setting user_u is a good start and a lot less
> work.
Except it is more or less where we are now.
ie: user can run stuff but they cannot put any exec or suid files in
any place they can write.
The debate is not about whether or not to enable this - it is about
whether we need to allow network connections at all.
Allowing irc out or ssh tunnels is not significant more safety
over just allowing general network communication, afaict.
-sv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20120327/9fa8bdfd/attachment.sig>
More information about the infrastructure
mailing list