I've finally gotten around to learning/understanding the grsec RBAC system and I must say, it's pretty amazing.
The one thing I can't figure out though is what's the "best" way to allow access to the gradm command, for access to the admin role.
I understand only root can enable RBAC and that makes sense. What I'm trying to understand is what's the best way to allow system administration tasks.
Is is to:
a) Allow a certain user role (i.e. my standard non-root login) the ability to "su" and then once su'd to root (from a trusted IP address) to allow access to the gradm command?
b) Allow the my user role access to gradm directly, so I can can run gradm -a admin, giving me access to everything and then allowing su etc.
c) Another way?
It seems that the Full System Learning doesn't consider this "problem" and that if you don't expressly do one or the other during learning you can end up with a RBAC system you can enable but then not disable.
I assume this just means you should do whichever works best for you?
Tim