From: Daniel J Walsh <dwalsh@redhat.com>
To: Ivan Gyurdiev <ivg2@cornell.edu>
Cc: SE Linux <selinux@tycho.nsa.gov>
Subject: Re: Why are we managing seusers file via libsemanage?
Date: Tue, 17 Jan 2006 13:02:17 -0500 [thread overview]
Message-ID: <43CD3129.6060405@redhat.com> (raw)
In-Reply-To: <43CCA359.8030109@cornell.edu>
Ivan Gyurdiev wrote:
> Daniel J Walsh wrote:
>> I don't recall why we did this?
>>
>> I am now thinking this is not a good idea. People were told to edit
>> the /etc/selinux/POLICYTYPE/seusers file to change the default level
>> at login, now we do this via libsemanage. But doing this via
>> libsemanage eliminates us from being able to distribute this
>> information via say LDAP.
> I think the issue of management and of distribution are completely
> independent from each other (or if not, they should be made so).
> Distribution gets the data from A to B. Management interprets the
> data, and decides what to do with it.
>
> I don't understand the way Unix updates the password for example - it
> doesn't make sense to me, I would appreciate an explanation from
> someone who knows better. It provides a shared read interface on the
> passwd file (with backend switching via nss). It doesn't provide a
> shared write interface - why? That seems to me like a design mistake,
> where distribution/backend is tied to management. Why should I care
> where the password is kept if all I want to do is update it. I don't
> think we should replicate that behavior, and copy the read/write code
> in 10 places, like it's done for passwd - not until it's clear why
> this is the correct way to go.
>
>
Ok well the seusers file should indicate that it is machine generated
and should not be edited then, or can it be eliminated all together.
Users will edit this file...
We still need a mechanism for managing setrans.conf but I understand why
that is separate from libsemanage currently. I also think we need to
look into a semachine type interface that indicates that maximum
security level for a particular machine.
Dan
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2006-01-17 18:02 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-01-17 3:49 Why are we managing seusers file via libsemanage? Daniel J Walsh
2006-01-17 5:27 ` Joshua Brindle
2006-01-17 5:33 ` Joshua Brindle
2006-01-17 7:36 ` Ivan Gyurdiev
2006-01-17 8:10 ` Ivan Gyurdiev
2006-01-17 7:16 ` Ivan Gyurdiev
2006-01-17 7:57 ` Ivan Gyurdiev
2006-01-17 18:02 ` Daniel J Walsh [this message]
2006-01-17 18:39 ` Ivan Gyurdiev
-- strict thread matches above, loose matches on Subject: below --
2006-01-17 16:56 schaufler-ca.com - Casey Schaufler
2006-01-17 19:02 ` Ivan Gyurdiev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43CD3129.6060405@redhat.com \
--to=dwalsh@redhat.com \
--cc=ivg2@cornell.edu \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.