RE: Alternative user management approach

[Ivan Gyurdiev <gyurdiev@xxxxxxxxxx>]

cc-ed Dan Walsh...

Please take a look at this proposal.
The suggestion is that we use more generic "SELinux users"
instead of creating an selinux user for every user.

> > Also, what's to stop you from implementing this with the current
> > mechanism?
> > 
> > The "role class" could be the SElinux user.
> > 
> > Then useradd could be changed to only reload policy if you're adding
> > new SElinux users ("role classes"). Better - useradd would stay
> > unchanged, and a new application would be written called
> > classadd or something.
> > 
> 
> That sounds good to me, actually. No need to remove the local.users
> infrastructure - we can just use it for the role users.
> 
> > Then you'd still need to map users to their SELinux users/classes
> > though..
> 
> Which will be done by login processes through libselinux. Haven't looked, but it
> may not even need an api change.

How exactly would this be done.
Currently there's a 1:1 maping from user to selinux user. I assumed this
is hardcoded - is this not the case? I'm not sure what login utilities
do..

If it is hardcoded, it needs to
be made configurable, and integrated w/ useradd utilities.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.