Re: Why are we managing seusers file via libsemanage?

[Joshua Brindle <jbrindle@tresys.com>]

Joshua Brindle wrote:
> Daniel J Walsh wrote:
> 
>> I don't recall why we did this?
>>
>> I am now thinking this is not a good idea.  People were told to edit 
>> the /etc/selinux/POLICYTYPE/seusers file to change the default level 
>> at login, now we do this via libsemanage.  But doing this via 
>> libsemanage eliminates us from being able to distribute this 
>> information via say LDAP.
>>
> so that there could be a system + local (combined at commit time) iirc.
> 
> the database design of libsemanage should be conducive to distributing 
> this info with LDAP and still adding it to the policy at commit time. 
> Ivan made the database implementation fairly flexible about changing the 
> storage backend while still pulling the data in and using it to rebuild 
> policies.
> 
>> I think that seusers and setrans.conf should be left as flat files and 
>> allowed to be distributed via ldap.  We can allow the semanage tool 
>> and others to modify them and verify the data entry, but not manage 
>> them via the library.
>>
> 
> I'd rather a central point for SELinux management. Also, if not through 
> libsemanage the seuser file couldn't be managed through the policy 
> server. Further, libsemanage gives the ability to sanity check the input 
>  against the policy for error checking at modify time. This should 
> potentially cut down on bugs caused by modifying this by hand.
> 

To clarify: The library needs to do the validation no matter what. The 
policy isn't exposed to any userland tools so semanage can't do checking 
itself. So whether the semanage tool writes the file or libsemanage 
writes the file the library does validation, I don't see a compelling 
reason to push this parsing/writing code to the client.

I'd like the policy server to be capable of enforcing access on this 
file or else all the policy access controls are for naught, since the 
seuser file becomes an all-or-nothing point to give permissions to users.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.