Hello,
Is it possible to administer SELINUX users and RBAC stuff in LDAP? With RH directory server? It would be nice, since all the other stuff can be administered in LDAP.
Rob Visser
On Wed, 2008-05-21 at 12:01 +0200, Rob Visser wrote:
Hello,
Is it possible to administer SELINUX users and RBAC stuff in LDAP? With RH directory server? It would be nice, since all the other stuff can be administered in LDAP.
Not yet, but known as a need. Likely would take the form of moving seusers management out of libsemanage and adding a LDAP lookup back end to libselinux getseuserbyname(). Then you could manage at least the Linux user -> (SELinux user, MLS range) authorizations in LDAP.
Rob Visser wrote:
Hello,
Is it possible to administer SELINUX users and RBAC stuff in LDAP? With RH directory server? It would be nice, since all the other stuff can be administered in LDAP.
Rob Visser
We are working toward this goal.
seusers is now used with libselinux which I believe is a mistake.
I want to move the selection of the SELinux user and MLS Role into the login programs pam_selinux and sshd.
RedHat is looking into integration with FreeIPA. The biggest problem we have now is how to select the correct seuser for a a machine.
The following is a potential format for a seusers distributed file
# Format # loginname;machine;service;selinuxuser;level # +name == group name system_u;*;*;system_u;s0-s0:c0.c1023 root;redsox.boston.redhat.com;*;unconfined_u;s0-s0:c0.c1023 dwalsh;people.redhat.com;*;xguest_u;s0 dwalsh;people.fedoraproject.com;*;xguest_u;s0 dwalsh;redline.boston.redhat.com;*;user_u;s0 dwalsh;redsox.boston.redhat.com;*;unconfined_u;s0-s0:c0.c1023 dwalsh;redsox.boston.redhat.com;ssh;guest_u;s0-s0:c0.c1023 +engineering;redsox;ssh;staff_u;s0-s0:c0.c1023 +engineering;*;ssh;staff_u;s0-s0:c0.c1023 +engineering;*;*;staff_u;s0-s0:c0.c1023 *;*;xdm;xguest_u;s0 *;*;*;guest_u;s0
We have come up with a couple of formats for the "best match", but this has to be easily understood by an administrator.
Anyways this conversation should take place on the selinux selinux@tycho.nsa.gov developer list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org