[PATCH 1/5] adding seadmin support

Leonidas Da Silva Barbosa leosilva at linux.vnet.ibm.com
Fri Nov 8 16:35:42 UTC 2013 

On Fri, Nov 08, 2013 at 02:07:14PM +0100, Dominick Grift wrote:
> On Fri, 2013-11-08 at 09:28 -0200, Leonidas Da Silva Barbosa wrote:
> 
> > 
> > > The idea is nice, but a admin could script this up in a heartbeat
> > >
> > I agree, but the idea is make this more visible. Today we know we have
> > admin role, but to reach that some steps are need. Put into in a tool give
> > some highlight to the use of admin roles and user admins IMHO.
> 
> There are probably more effective way's to make it visible
>

I can agree, but it's also about have a tool/supporting it. Anyway, I'm
trying to understand if it is a good idea to keep with this efforts to
support it or no. I still believe it a good aproach to support admin roles
creation, also to implements an 'isolation admins' environment, but I'm
totally open for thoughts and ideas about why don't put it or better
approaches to put it.

 
> > > > +# PATH to staff_u that will be base to new users created.
> > > > +STAFF_U = "staff_u"
> > > 
> > > this is very generic and inflexible in my opinion. I would probably have
> > > implemented a configuration file where admin can set
> > > "default_admin_selinux_identity=", and additionally a
> > > admin_selinux_identity option to override the default
> > > 
> > The idea was really to have only staff as start point, once staff_r is
> > already a isolate domain.  
> 
> I can see that that was the idea. I think the idea is sub-optimal
> 
> > > So how are you going to specify then that joe is associated with webadm.
> > > and jane is associated with mailadm?
> 
> > This work via sudo and also via link between LOGIN and the create
> > SELInux admin user. So, Joe can transit to webadm from
> > staff_u:staff_r:staff_t, to se_webadm_u:webadm_r:webadm_t.
> > I'm not sure if it was your point, please, let me know more about your
> > thoughts on that.
> 
> That does not make sense to me. sewebadm_u has no place in this example.
> 
> Its staff_u/staff_r/staff_t manually changing to
> staff_u/webadm_r/webadm_t via sudo if i read your code correctly
> 
> The problem is that if you associate more than a single admin role to
> staff_u, that all the users associated with staff_u will have access to
> all those roles from a SELinux point of view
> 
> This seems to me undesirable
> 
>

More information about the selinux mailing list