On Tue, 2005-02-15 at 11:22, Daniel J Walsh wrote:
Thoughts on moving some of the functions available in setools into
libselinux.
Basically I want to add the ability to addroles via the adduser command
(shadow-utils) and thus
make dealing with roles easier in OS. The problem is that I don't want
to require setools in
order to get this functionality (libseuser).
I need the ability to get the roles that are available via the currently
running policy and to manipulate
the users defined in the local.users file. I then need to have
genpolusers type functions to allow me
to change the running policy. We don't need the functionality that
deals with policy-sources.
What do you think of moving these functions into libselinux?
I think you want them in libsepol, not libselinux. The former is for
binary policy manipulation (which can still deal with the "active"
policy file that happesn to be presently loaded, as long as said file
still exists on the filesystem and you can reliably find it) and can be
used even on non-SELinux systems (an important property for building and
analyzing policies). The latter is only for security-aware applications
running on a SELinux kernel.
I do plan to look into migrating genpolusers functionality into
libsepol, as I formerly did for genpolbools, to allow load_policy and
init to generate the users database based on local customizations at
load time, just as they currently set the booleans based on local
customizations at load time. I'm not sure what you want from libseuser;
you can certainly implement functions in libsepol that extract the set
of roles for a user and manipulate it.