RE: Alternative user management approach

["Karl MacMillan" <kmacmillan@xxxxxxxxxx>]

> -----Original Message-----
> From: Casey Schaufler [mailto:casey@xxxxxxxxxxxxxxxx]
> Sent: Friday, June 24, 2005 1:26 PM
> To: Karl MacMillan; selinux@xxxxxxxxxxxxx
> Subject: RE: Alternative user management approach
> 
> 
> 
> --- Karl MacMillan <kmacmillan@xxxxxxxxxx> wrote:
> 
> 
> > To make my suggestion more concrete, I think a
> > mapping file in
> > /etc/selinux/policyname that maps from users to
> > SELinux users. The config would
> > be an ordered list of mappings that use username and
> > group information. That
> > means that if the admin wants to use group info they
> > can, otherwise it is
> > ignored. The first match in the ordered list would
> > win. Maybe something like:
> >
> > id:root	sysadm
> > group:wheel staff
> > default	normal
> >
> > There are a lot of possibilities including boolean
> > logic, wildcards, etc. Not
> > certain how much complexity is needed.
> 
> As a thought, how about:
> 
> userid:grouplist:policyname
> 
> where userid or grouplist can be '*' (any) and
> only exact matches count. Most explicit match
> is used.
> 
>     root:*:sysadm
>     fred:wheel:wand
>     *:wheel:staff
>     *:*:normal
> 
> Fred would be in "wand" if only in group wheel,
> in "normal" if in groups wheel and dev. Fun.
> 
> 
> 

Looks reasonable to me - removes ordering which is nice (ordering is so fragile
and error prone). Now if we can just answer the hard question of whether the
whole concept makes sense . . .

Karl

---
Karl MacMillan
Tresys Technology
http://www.tresys.com
(410) 290-1411 ext 134

> 
> Casey Schaufler
> casey@xxxxxxxxxxxxxxxx
> 
> 
> 
> __________________________________
> Yahoo! Mail
> Stay connected, organized, and protected. Take the tour:
> http://tour.mail.yahoo.com/mailtour.html



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.