FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 05-21-2008, 10:01 AM
"Rob Visser"
 
Default SELINUX admin with LDAP

Hello,
*
Is it possible to administer SELINUX users and RBAC stuff in LDAP? With RH directory server?
It would be nice, since all the other stuff can be administered in LDAP.
*
Rob Visser
*
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-21-2008, 11:50 AM
Stephen Smalley
 
Default SELINUX admin with LDAP

On Wed, 2008-05-21 at 12:01 +0200, Rob Visser wrote:
> Hello,
>
> Is it possible to administer SELINUX users and RBAC stuff in LDAP?
> With RH directory server?
> It would be nice, since all the other stuff can be administered in
> LDAP.

Not yet, but known as a need. Likely would take the form of moving
seusers management out of libsemanage and adding a LDAP lookup back end
to libselinux getseuserbyname(). Then you could manage at least the
Linux user -> (SELinux user, MLS range) authorizations in LDAP.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-21-2008, 01:57 PM
Daniel J Walsh
 
Default SELINUX admin with LDAP

Rob Visser wrote:
> Hello,
>
> Is it possible to administer SELINUX users and RBAC stuff in LDAP? With RH
> directory server?
> It would be nice, since all the other stuff can be administered in LDAP.
>
> Rob Visser
>
We are working toward this goal.

seusers is now used with libselinux which I believe is a mistake.

I want to move the selection of the SELinux user and MLS Role into the
login programs pam_selinux and sshd.

RedHat is looking into integration with FreeIPA. The biggest problem we
have now is how to select the correct seuser for a a machine.

The following is a potential format for a seusers distributed file

# Format
# loginname;machine;service;selinuxuser;level
# +name == group name
system_u;*;*;system_u;s0-s0:c0.c1023
root;redsox.boston.redhat.com;*;unconfined_u;s0-s0:c0.c1023
dwalsh;people.redhat.com;*;xguest_u;s0
dwalsh;people.fedoraproject.com;*;xguest_u;s0
dwalsh;redline.boston.redhat.com;*;user_u;s0
dwalsh;redsox.boston.redhat.com;*;unconfined_u;s0-s0:c0.c1023
dwalsh;redsox.boston.redhat.com;ssh;guest_u;s0-s0:c0.c1023
+engineering;redsox;ssh;staff_u;s0-s0:c0.c1023
+engineering;*;ssh;staff_u;s0-s0:c0.c1023
+engineering;*;*;staff_u;s0-s0:c0.c1023
*;*;xdm;xguest_u;s0
*;*;*;guest_u;s0

We have come up with a couple of formats for the "best match", but this
has to be easily understood by an administrator.

Anyways this conversation should take place on the selinux
<selinux@tycho.nsa.gov> developer list
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 12:11 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org