SELinux integration in LDAP
Daniel J Walsh
dwalsh at redhat.com
Tue Aug 17 10:25:00 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/17/2010 06:12 AM, imsand at puzzle.ch wrote:
> Hello,
>
> I’m referring to an older post (may 2008)
> http://lists.fedoraproject.org/pipermail/selinux/2008-May/009449.html
>
> The question is, if it’s possible to administer SELinux users and RBAC
> stuff (like roles) in LDAP?
> Are there some developments on this?
> What about FreeIPA, do they have some sample code / libraries that I could
> integrate in our company?
>
> In our company everything relies on LDAP. So I must have a solution for
> integrating SELinux in LDAP.
>
> Thanks in advance
> imsand
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
It would be fairly easy to integrate SELinux users and LDAP. We have
suggested people in the past to store this data in LDAP and then use
tools, perhaps in a cron job to extract the data and update the seusers
file. But the problem comes down to, how do you do seusers per machine?
My account on my laptop should be staff_u but my account on
people.fedoraproject.org or people.redhat.com should be guest_u. As an
example.
IPA is supposed to address this by adding Machine Identity. We had some
discussion on having sssd handle some of this also at LinuxCon.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkxqY3wACgkQrlYvE4MpobNcdgCcCRs6ZXEML1W+bgu/RQMDqqoY
M6kAoNH7UUZ1bwc0Y+sLOkMTOAHtXajZ
=nVLL
-----END PGP SIGNATURE-----
More information about the selinux
mailing list