Re: SELINUX admin with LDAP

Re: SELINUX admin with LDAP

[Daniel J Walsh]

Rob Visser wrote:
> Hello,
> 
> Is it possible to administer SELINUX users and RBAC stuff in LDAP? With RH
> directory server?
> It would be nice, since all the other stuff can be administered in LDAP.
> 
> Rob Visser
> 
We are working toward this goal.

seusers is now used with libselinux which I believe is a mistake.

I want to move the selection of the SELinux user and MLS Role into the
login programs pam_selinux and sshd.

RedHat is looking into integration with FreeIPA.  The biggest problem we
have now is how to select the correct seuser for a a machine.

The following is a potential format for a seusers distributed file

# Format
# loginname;machine;service;selinuxuser;level
# +name == group name
system_u;*;*;system_u;s0-s0:c0.c1023
root;redsox.boston.redhat.com;*;unconfined_u;s0-s0:c0.c1023
dwalsh;people.redhat.com;*;xguest_u;s0
dwalsh;people.fedoraproject.com;*;xguest_u;s0
dwalsh;redline.boston.redhat.com;*;user_u;s0
dwalsh;redsox.boston.redhat.com;*;unconfined_u;s0-s0:c0.c1023
dwalsh;redsox.boston.redhat.com;ssh;guest_u;s0-s0:c0.c1023
+engineering;redsox;ssh;staff_u;s0-s0:c0.c1023
+engineering;*;ssh;staff_u;s0-s0:c0.c1023
+engineering;*;*;staff_u;s0-s0:c0.c1023
*;*;xdm;xguest_u;s0
*;*;*;guest_u;s0

We have come up with a couple of formats for the "best match", but this
has to be easily understood by an administrator.

Anyways this conversation should take place on the selinux
<selinux@tycho.nsa.gov> developer list
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.