On 6/16/06, Daniel J Walsh <[EMAIL PROTECTED]> wrote:
Steve Grubb wrote: > On Friday 16 June 2006 15:57, Daniel J Walsh wrote: > >> I wanted to try to create an auditadm_r. >> > > Didn't you mean httpdadm_r :) > > I think we should bust up the systemadm role a little more and make it > composed of some other roles. RBAC says we are supposed to support > composition, so we can use it here. > > Some other roles might be backup admin, db admin. mail admin. > > -Steve > backupadm might be pretty tough, since I don't believe we run type enforcement on any backup tools so you would need to be able to read/write every file on the system, and I see little benefit in this.
I think for some servers, there is a need to restrict backup priveledges to certain areas versus the entire system. [Areas being easier to control security levels with.. but I could see where we would want at least 4 different backup tools running: Open, Confidential, Secret, TopSecret..] There might also be needs where read is ok but write is not unless authorized by a different mechanism. Not sure if this needs a seperate backup_adm mode or other mechanisms. -- Stephen J Smoogen. CSIRT/Linux System Administrator -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
