Re: Groups in the alternative user solution

[Daniel J Walsh <dwalsh@redhat.com>]

Ok we are actually  trying to code something up to deal with this 
discussion.  This is our current thoughts on
handling users.  We have not come to a decent way of handling 
file_contexts.    We are attempting in this
example to limit the number of file_context/user files.

Example policy for a hospital would have 5 types of SELinux users.

cat /etc/selinux/strict/users/local.users
user doctor_u { user_r nurse_r labtech_r doctor_r };
user labtech_u { user_r labtech_r };
user nurse_u { user_r nurse_r };
user user_u { user_r };
user staff_u { staff_r sysadm_r secadm_r };


Then we create a file called map.users

cat /etc/selinux/strict/users/map.users
staff_u: dwalsh,ivan
doctor_u: green,welby,spock
nurse_u: cratchet,nightengale
labtech_u: grissom
user_u:  *


As far as file_context files are concerned, only dwalsh and ivan would 
need to
have user specific file_context.homedir files be created, since all 
other users
on the system would map to the "user" type.

Some how we need to make the system smart enough to know that SELINUX 
Users map
to a default role/type;

So when "grissom" logs in his id -Z will show

labtech_u:user_r:user_t

He then can:

newrole -r labtech_r

And can run labtech applications.

Dr. Green would login as

doctor_u:user_r:user_t

He could then run newrole and change to any of doctor_r, nurse_r, or 
labtech_r
and run the associated applications.

The only time home directory file context would need to change would be 
if the
user became an admin.

This would potentially eliminate the 1000's of file contexts files problem,
since almost all users would map to the default user_r and user_home_t...
for his home dir file context.



-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.