Gentoo Archives: gentoo-hardened

From:	"Krzysztof Kozłowski" <krzysztof.kozlowski@×××××××××.pl>
To:	gentoo-hardened@l.g.o
Subject:	Re: [gentoo-hardened] SELinux - Root and sudo commands denied
Date:	Sun, 10 Jun 2007 19:58:48
Message-Id:	`466C5760.8020305@kozik.net.pl`
In Reply to:	Re: [gentoo-hardened] SELinux - Root and sudo commands denied by Petre Rodan

1	Hmmm, this is interesting.
2
3	So for example I would like to get rid of sudo and replace its behavior with
4	su. How to:
5	1. log all root commands (some clever "auditallow" rule?);
6	2. do not need to know root password;
7
8
9	Petre Rodan wrote:
10	>> For example - I have to edit /etc/fstab. So I have two choices:
11	>> $ newrole -r sysadm
12	>> $ su -
13	>> # vi /etc/fstab
14	>> (or "$ su - -c 'vi /etc/fstab'")
15	>> or
16	>> $ newrole -r sysadm // or something else
17	>> $ sudo vi /etc/fstab
18	>>
19	>> And the first choice is better from security point of view?
20	>
21	> IMHO, yes.
22
23
24	--
25	Krzysztof Kozłowski
26	http://www.kozik.net.pl
27
28
29	--
30	gentoo-hardened@g.o mailing list

Subject	Author
Re: [gentoo-hardened] SELinux - Root and sudo commands denied	Petre Rodan <kaiowas@g.o>