roles
Stephen Smalley
sds at tycho.nsa.gov
Thu Oct 19 15:04:29 UTC 2006
On Thu, 2006-10-19 at 10:09 -0400, Daniel J Walsh wrote:
> Gene Czarcinski wrote:
> > I have been fooling around with RBAC and roles to see how it works and could
> > be used.
> >
> > If I understand correctly, either
> > `
> > 1. In order to add a new roles, you need to modify the source in the src.rpm
> > and create a "new" policy: gop or "Gene'c Own Policy".
> >
> > or
> >
> > 2. I do not know the correct "magic dance" to perform to add a new role
> > definition to an existing policy.
> >
> > Comment?
> >
> >
> You should be able to add a new role through a loadable policy module
> and then use semanage
> to assign the role to SELinux Users.
It isn't quite that simple (at least not yet). Full integration of a
role requires too pervasive of a change to work well from a loadable
module. Role additions in the current refpolicy have all gone into
userdomain in the policy sources. There is also the rolemap file.
There is a role-infra branch that Chris is working on to improve
infrastructure for adding roles.
--
Stephen Smalley
National Security Agency
More information about the selinux
mailing list