From: Daniel J Walsh <dwalsh@redhat.com>
To: Rob Visser <visser.rob@gmail.com>
Cc: fedora-selinux-list@redhat.com, SE Linux <selinux@tycho.nsa.gov>
Subject: Re: SELINUX admin with LDAP
Date: Wed, 21 May 2008 09:57:08 -0400 [thread overview]
Message-ID: <48342A34.4060907@redhat.com> (raw)
In-Reply-To: <869100480805210301s6ddfa47bl5b6b1e603a68acdd@mail.gmail.com>
Rob Visser wrote:
> Hello,
>
> Is it possible to administer SELINUX users and RBAC stuff in LDAP? With RH
> directory server?
> It would be nice, since all the other stuff can be administered in LDAP.
>
> Rob Visser
>
We are working toward this goal.
seusers is now used with libselinux which I believe is a mistake.
I want to move the selection of the SELinux user and MLS Role into the
login programs pam_selinux and sshd.
RedHat is looking into integration with FreeIPA. The biggest problem we
have now is how to select the correct seuser for a a machine.
The following is a potential format for a seusers distributed file
# Format
# loginname;machine;service;selinuxuser;level
# +name == group name
system_u;*;*;system_u;s0-s0:c0.c1023
root;redsox.boston.redhat.com;*;unconfined_u;s0-s0:c0.c1023
dwalsh;people.redhat.com;*;xguest_u;s0
dwalsh;people.fedoraproject.com;*;xguest_u;s0
dwalsh;redline.boston.redhat.com;*;user_u;s0
dwalsh;redsox.boston.redhat.com;*;unconfined_u;s0-s0:c0.c1023
dwalsh;redsox.boston.redhat.com;ssh;guest_u;s0-s0:c0.c1023
+engineering;redsox;ssh;staff_u;s0-s0:c0.c1023
+engineering;*;ssh;staff_u;s0-s0:c0.c1023
+engineering;*;*;staff_u;s0-s0:c0.c1023
*;*;xdm;xguest_u;s0
*;*;*;guest_u;s0
We have come up with a couple of formats for the "best match", but this
has to be easily understood by an administrator.
Anyways this conversation should take place on the selinux
<selinux@tycho.nsa.gov> developer list
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
parent reply other threads:[~2008-05-21 13:56 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <869100480805210301s6ddfa47bl5b6b1e603a68acdd@mail.gmail.com>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48342A34.4060907@redhat.com \
--to=dwalsh@redhat.com \
--cc=fedora-selinux-list@redhat.com \
--cc=selinux@tycho.nsa.gov \
--cc=visser.rob@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.