From: Daniel J Walsh <dwalsh@redhat.com>
To: Karl MacMillan <kmacmillan@mentalrootkit.com>
Cc: Stephen Smalley <stephen.smalley@gmail.com>,
Hasan Rezaul-CHR010 <CHR010@motorola.com>,
selinux@tycho.nsa.gov
Subject: Re: Mapping Linux GROUP to an SELinux user ?...
Date: Tue, 29 Jul 2008 09:37:32 -0400 [thread overview]
Message-ID: <488F1D1C.4080709@redhat.com> (raw)
In-Reply-To: <10143820807281641j32da0c88v971ce52897de52e6@mail.gmail.com>
Karl MacMillan wrote:
> On Thu, Jul 24, 2008 at 9:05 PM, Stephen Smalley
> <stephen.smalley@gmail.com> wrote:
>> On Thu, 2008-07-24 at 14:22 -0400, Hasan Rezaul-CHR010 wrote:
>>> Hi All,
>>>
>>> Is there any way at all to map an entire Linux GROUP to an SELinux_user
>>> ??
>>>
>>> For example if Linux User accounts (Admin1, Admin2, and Admin3), all
>>> belong to the Linux group "wadm".
>>>
>>> Is there a simple or tricky way to map the entire Linux group wadm ->
>>> to staff_u ?
>>>
>>> This way, any Linux user account that happens to be part of the "wadm"
>>> group would automatically be mapped to staff_u ? This way we don't have
>>> to execute several semanage commands to create all those individual
>>> mappings ?
>> Not presently, but one could certainly implement such support in the
>> userland (pam_selinux + libselinux getseuserbyname).
>>
>
> I know that we and others have done this in the past, though our
> implementation at least is not really a general solution but something
> specific for one situation.
>
> A general solution would need to resolve what the semantics of the
> mapping would be including what to do when multiple groups match. Not
> really a problem, just requires some thought.
>
> Karl
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
First get seusers out of libsemanage.
libsemanage can be used to verify the selinux user exists and the level.
Then use the same syntax as sudo, I believe group name is preceded by
an @ sign.
@engineering
I will code up a patch for libselinux, but we need work to allow
semanage to add this syntax.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2008-07-29 13:37 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-07-24 5:38 hierarchy_check_constraints() needs reworks? KaiGai Kohei
2008-07-24 11:24 ` Stephen Smalley
2008-07-24 18:22 ` Mapping Linux GROUP to an SELinux user ? Hasan Rezaul-CHR010
2008-07-25 1:05 ` Stephen Smalley
2008-07-28 23:41 ` Karl MacMillan
2008-07-29 13:37 ` Daniel J Walsh [this message]
2008-07-25 0:39 ` hierarchy_check_constraints() needs reworks? KaiGai Kohei
2008-07-24 14:40 ` Joshua Brindle
2008-07-25 2:31 ` KaiGai Kohei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=488F1D1C.4080709@redhat.com \
--to=dwalsh@redhat.com \
--cc=CHR010@motorola.com \
--cc=kmacmillan@mentalrootkit.com \
--cc=selinux@tycho.nsa.gov \
--cc=stephen.smalley@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.