default user context on fedorapeople.org
Konstantin Ryabitsev
icon at fedoraproject.org
Wed Mar 28 00:51:46 UTC 2012
On Tue, 2012-03-27 at 17:28 -0600, Kevin Fenzi wrote:
> Note that folks who need to sudo need to still be unconfined right?
No, you want them to be staff_u and add the following to your sudoers:
%wheel ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL
This will transition to unconfined upon sudo.
BTW, I just found out that guest_u (and, by extension, my testguest_u)
still allows sshd forwarding -- I guess it's hard to restrict that on
the SELinux level. It can be disallowed in sshd config, though,
including by group:
AllowTcpForwarding no
Match Group wheel
AllowTcpForwarding yes
Best,
--
Konstantin Ryabitsev
Systems Administrator, Kernel.org
Montréal, Québec
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20120327/0a101c87/attachment.sig>
More information about the infrastructure
mailing list