sshd_t & guest_t - Boolean suggestion
Daniel J Walsh
dwalsh at redhat.com
Thu Dec 23 19:09:11 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/23/2010 02:00 PM, Jorge Fábregas wrote:
> Hello again,
>
> If all my SSH users are "guest_u" users (guest_t domain) and there won't be
> any admin connecting to the machine...wouldn't it be great to remove the
> capability sshd_t has in transitioning into unconfined_t? ...by means of a
> boolean?
>
> Thanks,
> Jorge
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
Theoretically we have this.
unconfined_login -> on Allow a user to login as an
unconfined domain
(Not sure it works.
Well one thing you could try is to disable the unconfineduser policy
package, This would eliminate the unconfined_t from your system
altogether.
Then you would have to setup the admin (root) to log in as sysadm_t.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0TnlcACgkQrlYvE4MpobPcQgCfeW2dxmylBNsZKIaQnfsDXnln
r3cAnApl2p6iD2b5VpNOuTf353YARLqx
=dzdw
-----END PGP SIGNATURE-----
More information about the selinux
mailing list