From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1PHj8N-0002Oj-Gc for garchives@archives.gentoo.org; Sun, 14 Nov 2010 20:25:07 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1620BE045E; Sun, 14 Nov 2010 20:23:53 +0000 (UTC) Received: from mail-ew0-f53.google.com (mail-ew0-f53.google.com [209.85.215.53]) by pigeon.gentoo.org (Postfix) with ESMTP id CD056E045E for ; Sun, 14 Nov 2010 20:23:52 +0000 (UTC) Received: by ewy10 with SMTP id 10so2976828ewy.40 for ; Sun, 14 Nov 2010 12:23:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:date:from:to:subject :message-id:references:mime-version:content-type:content-disposition :in-reply-to:user-agent; bh=cM5LM8hHxGkAYLWeL/+DiYsGXDm4iHpbmiZ8FFIysZQ=; b=lBmGX9DOWRFNe2Ssb9AOl2GuO0Vg6dgqSuBt5PFavksAle1v0rsvQG+hFS8OgyGV8l S2m4ctq6Bcq7A4JZWxMEcsAFKNSN0cAkq0G2uFuzO0Y1Xzqht33xZQgqMYxJtnjOLzIs Hw6xWJe+gWTXAUCMI5KziZ/+pa7w31m//FUNI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; b=YiT6Oow7E5pKvFnAyJNf22ly6XFbfnjfNUxDctyaLSTDqrchUTQlrco0NkyklnsnBg t3chl5tSsLVcuKqo1b/uKBMrB9shGGZqqLuabUvKcmvcxbD4k3QRJuoiITx1oof0uu71 TpwB3xR7gv5GRPiFzN7kPd0WXLSAOqMS/gwAc= Received: by 10.213.5.3 with SMTP id 3mr4103905ebt.67.1289766232037; Sun, 14 Nov 2010 12:23:52 -0800 (PST) Received: from siphos.be ([83.101.67.57]) by mx.google.com with ESMTPS id w20sm5824017eeh.18.2010.11.14.12.23.50 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 14 Nov 2010 12:23:50 -0800 (PST) Sender: Sven Vermeulen Date: Sun, 14 Nov 2010 21:23:43 +0100 From: Sven Vermeulen To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] SELinux (strict policy) and ssh Message-ID: <20101114202343.GA28621@siphos.be> References: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="17pEHd4RhPHOinZp" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Archives-Salt: d02234ee-c151-424a-b0ce-52f5a933a41f X-Archives-Hash: 622895e79165ff33ee979a99327fa7ef --17pEHd4RhPHOinZp Content-Type: text/plain; charset=utf-8 Content-Disposition: inline On Sun, Nov 14, 2010 at 01:40:12PM +0100, luc nac wrote: > Is it right that I can still login (or switch to the sysadm_r role) > via ssh to that machine even if the boolean "ssh_sysadm_login" is set > "off"? Yes, the boolean only ensures that users cannot immediately log on (through SSH) in the sysadm_r role. Once they are logged on, they can always use newrole. wkr, Sven Vermeulen --17pEHd4RhPHOinZp Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) iEYEARECAAYFAkzgRU8ACgkQXfqz7M26L9u18QCfZt6g59/jQqLDKbkE4HEM7+N7 WOQAn2XFUS1o6OTcdKIEZhA12s154fJQ =Io4t -----END PGP SIGNATURE----- --17pEHd4RhPHOinZp--