Generic roles in selinux
Stephen Smalley
sds at epoch.ncsc.mil
Wed Oct 27 18:27:54 UTC 2004
On Wed, 2004-10-27 at 14:16, Barry Roomberg wrote:
> Either I'm very confused or my system is very broken.
>
> When I add a new user to my system via the adduser script, they get
> tagged
> with "Generic" for their policy type.
>
> When I examine (using seuser -X) the users, I see that all the Generics
> (there are a lot) have roles of sysadm_r, system_r, and user_r.
>
> Which means to me that all these users can assume sysadm_r by executing
> the newrole command.
>
> Is this appropriate? Shouldn't sysadm_r be reserved for administrators?
Disable the user_canbe_sysadm tunable in your policy (after authorizing
yourself for staff_r), or update to the FC3 policy (even there, it isn't
a bad idea to disable that tunable and explicitly authorize people for
staff_r).
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the selinux
mailing list