| 1 |
John Huttley wrote: |
| 2 |
|
| 3 |
> I would figure that if I logged in as root, I could stay in the sysadm_r |
| 4 |
> and change between sysadm_t and staff_t |
| 5 |
|
| 6 |
> If a role is a set of permitted types, why should I have to change my |
| 7 |
> role???? |
| 8 |
|
| 9 |
By default, when you log in as root, you don't get assigned |
| 10 |
the sysadm_r role. You're put into staff_r instead. This |
| 11 |
role is permitted to transition to the types you need for |
| 12 |
routine system management -- log files and such. But |
| 13 |
there's a lot that staff_r doesn't have access to. For |
| 14 |
example, changing the SELinux policy itself :) |
| 15 |
|
| 16 |
Similar to how standard best practices would have you log in |
| 17 |
as a non-root user, and sudo when you need root access, |
| 18 |
SELinux best practices says that you log into staff_r, and |
| 19 |
only change to the sysadm_r role when needed, and only for |
| 20 |
as long as necessary. |
| 21 |
|
| 22 |
-- |
| 23 |
-- Mike |
| 24 |
|
| 25 |
Still using IE? Get Firefox! |
| 26 |
http://www.spreadfirefox.com/?q=affiliates&id=6492&t=1 |
| 27 |
-- |
| 28 |
gentoo-hardened@g.o mailing list |
Archives