I have been fooling around with RBAC and roles to see how it works and could be used.
If I understand correctly, either ` 1. In order to add a new roles, you need to modify the source in the src.rpm and create a "new" policy: gop or "Gene'c Own Policy".
or
2. I do not know the correct "magic dance" to perform to add a new role definition to an existing policy.
Comment?
Gene
Gene Czarcinski wrote:
I have been fooling around with RBAC and roles to see how it works and could be used.
If I understand correctly, either `
- In order to add a new roles, you need to modify the source in the src.rpm
and create a "new" policy: gop or "Gene'c Own Policy".
or
- I do not know the correct "magic dance" to perform to add a new role
definition to an existing policy.
Comment?
You should be able to add a new role through a loadable policy module and then use semanage to assign the role to SELinux Users.
Gene
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Thu, 2006-10-19 at 10:09 -0400, Daniel J Walsh wrote:
Gene Czarcinski wrote:
I have been fooling around with RBAC and roles to see how it works and could be used.
If I understand correctly, either `
- In order to add a new roles, you need to modify the source in the src.rpm
and create a "new" policy: gop or "Gene'c Own Policy".
or
- I do not know the correct "magic dance" to perform to add a new role
definition to an existing policy.
Comment?
You should be able to add a new role through a loadable policy module and then use semanage to assign the role to SELinux Users.
It isn't quite that simple (at least not yet). Full integration of a role requires too pervasive of a change to work well from a loadable module. Role additions in the current refpolicy have all gone into userdomain in the policy sources. There is also the rolemap file.
There is a role-infra branch that Chris is working on to improve infrastructure for adding roles.
selinux@lists.fedoraproject.org