Rob Visser wrote:

Hello,

Is it possible to administer SELINUX users and RBAC stuff in LDAP? With RH directory server? It would be nice, since all the other stuff can be administered in LDAP.

Rob Visser

We are working toward this goal.

seusers is now used with libselinux which I believe is a mistake.

I want to move the selection of the SELinux user and MLS Role into the login programs pam_selinux and sshd.

RedHat is looking into integration with FreeIPA. The biggest problem we have now is how to select the correct seuser for a a machine.

The following is a potential format for a seusers distributed file

# Format # loginname;machine;service;selinuxuser;level # +name == group name system_u;*;*;system_u;s0-s0:c0.c1023 root;redsox.boston.redhat.com;*;unconfined_u;s0-s0:c0.c1023 dwalsh;people.redhat.com;*;xguest_u;s0 dwalsh;people.fedoraproject.com;*;xguest_u;s0 dwalsh;redline.boston.redhat.com;*;user_u;s0 dwalsh;redsox.boston.redhat.com;*;unconfined_u;s0-s0:c0.c1023 dwalsh;redsox.boston.redhat.com;ssh;guest_u;s0-s0:c0.c1023 +engineering;redsox;ssh;staff_u;s0-s0:c0.c1023 +engineering;*;ssh;staff_u;s0-s0:c0.c1023 +engineering;*;*;staff_u;s0-s0:c0.c1023 *;*;xdm;xguest_u;s0 *;*;*;guest_u;s0

We have come up with a couple of formats for the "best match", but this has to be easily understood by an administrator.

Anyways this conversation should take place on the selinux selinux@tycho.nsa.gov developer list

---

-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list