[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Adding libseuser functionality to libselinux?

To: Daniel J Walsh <dwalsh@xxxxxxxxxx>
Subject: Re: Adding libseuser functionality to libselinux?
From: Stephen Smalley <sds@xxxxxxxxxxxxxx>
Date: Tue, 15 Feb 2005 11:20:48 -0500
Cc: SE-Linux <selinux@xxxxxxxxxxxxx>, Frank Mayer <mayerf@xxxxxxxxxx>
In-reply-to: <421221C0.20907@xxxxxxxxxx>
Organization: National Security Agency
References: <20050215155323.GC23765@xxxxxxxx> <421221C0.20907@xxxxxxxxxx>
Sender: owner-selinux@xxxxxxxxxxxxx

On Tue, 2005-02-15 at 11:22, Daniel J Walsh wrote:
> Thoughts on moving some of the functions available in setools into 
> libselinux.
> 
> Basically I want to add the ability to addroles via the adduser command  
> (shadow-utils) and thus
> make dealing with roles easier in OS.  The problem is that I don't want 
> to require setools  in
> order to get this functionality (libseuser).   
> 
> I need the ability to get the roles that are available via the currently 
> running policy and to manipulate
> the users defined in the local.users file.  I then need to have 
> genpolusers type functions to allow me
> to change the running policy.  We don't need the functionality that 
> deals with policy-sources.
> 
> What do you think of moving these functions into libselinux?

I think you want them in libsepol, not libselinux.  The former is for
binary policy manipulation (which can still deal with the "active"
policy file that happesn to be presently loaded, as long as said file
still exists on the filesystem and you can reliably find it) and can be
used even on non-SELinux systems (an important property for building and
analyzing policies).  The latter is only for security-aware applications
running on a SELinux kernel.

I do plan to look into migrating genpolusers functionality into
libsepol, as I formerly did for genpolbools, to allow load_policy and
init to generate the users database based on local customizations at
load time, just as they currently set the booleans based on local
customizations at load time.  I'm not sure what you want from libseuser;
you can certainly implement functions in libsepol that extract the set
of roles for a user and manipulate it.

-- 
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.

Follow-Ups:
- Re: Adding libseuser functionality to libselinux?
  - From: Daniel J Walsh

References:
- sshd transition points
  - From: Luke Kenneth Casson Leighton
- Adding libseuser functionality to libselinux?
  - From: Daniel J Walsh

Prev by Date: Adding libseuser functionality to libselinux?
Next by Date: Determining if SELinux is installed
Previous by thread: Adding libseuser functionality to libselinux?
Next by thread: Re: Adding libseuser functionality to libselinux?
Index(es):
- Date
- Thread

This mailing list archive is a service of Copilot Consulting.