[PATCH 1/5] adding seadmin support
Dominick Grift
dominick.grift at gmail.com
Fri Nov 8 13:07:14 UTC 2013
On Fri, 2013-11-08 at 09:28 -0200, Leonidas Da Silva Barbosa wrote:
>
> > The idea is nice, but a admin could script this up in a heartbeat
> >
> I agree, but the idea is make this more visible. Today we know we have
> admin role, but to reach that some steps are need. Put into in a tool give
> some highlight to the use of admin roles and user admins IMHO.
There are probably more effective way's to make it visible
> > > +# PATH to staff_u that will be base to new users created.
> > > +STAFF_U = "staff_u"
> >
> > this is very generic and inflexible in my opinion. I would probably have
> > implemented a configuration file where admin can set
> > "default_admin_selinux_identity=", and additionally a
> > admin_selinux_identity option to override the default
> >
> The idea was really to have only staff as start point, once staff_r is
> already a isolate domain.
I can see that that was the idea. I think the idea is sub-optimal
> > So how are you going to specify then that joe is associated with webadm.
> > and jane is associated with mailadm?
> This work via sudo and also via link between LOGIN and the create
> SELInux admin user. So, Joe can transit to webadm from
> staff_u:staff_r:staff_t, to se_webadm_u:webadm_r:webadm_t.
> I'm not sure if it was your point, please, let me know more about your
> thoughts on that.
That does not make sense to me. sewebadm_u has no place in this example.
Its staff_u/staff_r/staff_t manually changing to
staff_u/webadm_r/webadm_t via sudo if i read your code correctly
The problem is that if you associate more than a single admin role to
staff_u, that all the users associated with staff_u will have access to
all those roles from a SELinux point of view
This seems to me undesirable
More information about the selinux
mailing list