When working on the SELinux code lately, I found out that all the functions from sss_selinux.c are consumed by ipa_selinux.c only. I don't think it makes sense to have a sss_selinux.c module in the util/ tree, so I simply merged the functions into ipa_selinux.
On Thu, 2014-03-13 at 19:54 +0100, Jakub Hrozek wrote:
When working on the SELinux code lately, I found out that all the functions from sss_selinux.c are consumed by ipa_selinux.c only. I don't think it makes sense to have a sss_selinux.c module in the util/ tree, so I simply merged the functions into ipa_selinux.
Wouldn't this require to branch them off again if the GPO work will allow us to store selinux maps in AD too ?
Simo.
On Thu, Mar 13, 2014 at 03:09:44PM -0400, Simo Sorce wrote:
On Thu, 2014-03-13 at 19:54 +0100, Jakub Hrozek wrote:
When working on the SELinux code lately, I found out that all the functions from sss_selinux.c are consumed by ipa_selinux.c only. I don't think it makes sense to have a sss_selinux.c module in the util/ tree, so I simply merged the functions into ipa_selinux.
Wouldn't this require to branch them off again if the GPO work will allow us to store selinux maps in AD too ?
Simo.
I wasn't aware this was the plan. I think the answer depends on the schemas in AD. The 'util' functions that process the mappings are closely tied to how the SELinux maps in IPA are designed, especially with respect to how the evaluation works and how the priorities are selected.
On 03/13/2014 03:36 PM, Jakub Hrozek wrote:
On Thu, Mar 13, 2014 at 03:09:44PM -0400, Simo Sorce wrote:
On Thu, 2014-03-13 at 19:54 +0100, Jakub Hrozek wrote:
When working on the SELinux code lately, I found out that all the functions from sss_selinux.c are consumed by ipa_selinux.c only. I don't think it makes sense to have a sss_selinux.c module in the util/ tree, so I simply merged the functions into ipa_selinux.
Wouldn't this require to branch them off again if the GPO work will allow us to store selinux maps in AD too ?
Simo.
I wasn't aware this was the plan. I think the answer depends on the schemas in AD. The 'util' functions that process the mappings are closely tied to how the SELinux maps in IPA are designed, especially with respect to how the evaluation works and how the priorities are selected. _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
GPO is for the AD HBAC only. This is the scope. I am not sure it will be more than that.
sssd-devel@lists.fedorahosted.org
-
Dmitri Pal -
Jakub Hrozek -
Simo Sorce