From: Shaun Savage <savages@pcez.com>
To: "Westerman, Mark" <Mark.Westerman@csoconline.com>
Cc: selinux@tycho.nsa.gov
Subject: Re: General Users
Date: Tue, 15 Jan 2002 11:05:01 -0800 [thread overview]
Message-ID: <3C447D5D.3030205@pcez.com> (raw)
In-Reply-To: 72222DC86846D411ABD300A0C9EB08A101524289@csoc-mail-box.csoconline.com
I think a new syntax for checkpolicy is needed. This new tag would be
"group" This tag would the be assigned caps. Then using kerberos or
nis the group information is sent with the login. There are issues I
see with this
How do you temporary merge that user into the group in the policy. You
still want each user to be unique. "Seperate but equal :-)"
The problem I see with this is "how do you verify the authorization of
that group to that user" If that "network" group information can effect
the policy on that machine, how do you prevent corruption?
Just ideas
Shaun
Westerman, Mark wrote:
>The current implementation of SELinux requires each user to be listed in the
>user policy file
>and the default_context. This is great for single purpose server and
>workstation machines.
>I am currently look at a project that will require hundreds of machines and
>thousands of users. The user name and password are propagated thru NIS. With
>
>the current implement of SELinux this makes the management of the machines
>non-workable. Requires to much system administration. User are added and
>removed on a regular basis. We cannot rebuild a policy file for each machine
>for the
>addition or removal of a user.
>
>
>What would be the best way to modify the current implement to create a
>standard
>user. I was thinking of setting up a standard user for the user policy file
>and
>for the default context in the /etc/security (cron and default). I am
>looking at modifying
>the libsecure to look at the user, if the user is not found in the
>default_context file
>then assign him the standard user context.
>
>
>Any suggestions would be great.
>
>
>Mark Westerman
>
>--
>You have received this message because you are subscribed to the selinux list.
>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>the words "unsubscribe selinux" without quotes as the message.
>
>
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2002-01-15 19:09 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-01-15 14:21 General Users Westerman, Mark
2002-01-15 17:49 ` Stephen Smalley
2002-01-15 18:59 ` Christopher A. Martin
2002-01-15 19:05 ` Shaun Savage [this message]
2002-01-15 19:06 ` Donald Kasper
2002-01-15 22:02 ` Shaun Savage
2002-01-16 6:19 ` Donald Kasper
-- strict thread matches above, loose matches on Subject: below --
2002-01-15 20:03 Westerman, Mark
2002-01-15 23:38 ` Shaun Savage
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3C447D5D.3030205@pcez.com \
--to=savages@pcez.com \
--cc=Mark.Westerman@csoconline.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.