[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    Re: I thought we decided that root was root
From:       Stephen Smalley <sds () epoch ! ncsc ! mil>
Date:       2004-04-30 12:46:21
Message-ID: 1083329181.30875.29.camel () moss-spartans ! epoch ! ncsc ! mil
[Download RAW message or body]

On Thu, 2004-04-29 at 18:36, Nick Gray wrote:
> I thought the consensus was that the root account should have the
> default of sysadm_r. I just created a C2T2 system and I came up with
> staff again?

Do you mean FC2 test3?  I think that the system defaults
(/etc/security/default_contexts) are set to prefer staff_r or user_r
over sysadm_r, and the root-specific defaults (/root/.default_contexts)
are set to prefer sysadm_r for console logins, but not for xdm logins or
ssh logins. Naturally, you can customize that if you want to do so, but
the ability to login directly via xdm or ssh to sysadm_r is a tunable
(enabled by default in the Fedora policy, disabled in ours), so note
that people running with a tighter policy will still fall back to
staff_r as the default.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]