begin quoting Tracy R Reed as of Wed, Feb 02, 2005 at 10:02:53AM -0800: > On Wed, Feb 02, 2005 at 10:01:27AM -0800, Stewart Stremler spake thusly: > > Last I recall, getting the root password to your SE Linux box got a > > shell with no access to any tools anywhere. > > On the contrary, you can run any program a normal user would be able to > run. You can compile any code you want, ftp in anything you want, etc. You > can even install anything you want in your own $HOME. Last time I took up your challenge I got a shell, and no access to any tools. :-)
But that was a long time ago. You've since reinstalled or changed machines, IIRC, since then. > A programmer should > be able to do his job completely in such an environment. Application programmer, certainly. Let's say I (the programmer in question) provide you software that demands root access because it wants to install itself in /usr/bin, dump config files in /etc, libraries in /lib, documenation in /usr/doc, support files in /usr/share, admin programs in /sbin. Do you Just Say No? Does the inexperienced admin who's been told that this program of mine is the neatest thing since sliced bread and that it will solve his current problem at hand have only that option? > > What we need is an inexperienced programmer writing real code that needs > > setuid access (so says the programer), and an inexperienced administrator to > > install and run the code (so fancy SELinux configuration is out). > > Fancy SE Linux configuration is out for the moment but I bet we will have > more dynamic secure and self-configuring policies via a sort of "learn > mode" for SE Linux in the near future that will let inexperienced > administrators do their thing. More dynamism (see my 'sandbox tool') would be good. Don't know if I care about "learn modes"... it doesn't address the complexity of the system, it only hides it. -Stewart "Dynamic role-based control looks very nice, however" Stremler -- KPLUG-List mailing list [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
