[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Alternative user management approach
On Fri, 2005-06-24 at 14:36 -0400, Karl MacMillan wrote:
> Which will be done by login processes through libselinux. Haven't looked, but it
> may not even need an api change.
get_ordered_context_list(3) and friends. login and su use
get_ordered_context_list(3) via pam_selinux.
Most other programs just use get_default_context(3), which is
implemented internally via get_ordered_context_list(3), just taking the
first one. sshd also uses get_default_context_with_role(3) if a role
was specified, which just takes the first one with a matching role if it
exists.
In each case, the input is just the Linux username, and it returns the
security context(s) to use for the user's process. You'd have to
internally determine the group set if you wanted to base decisions on
that as well.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
This mailing list archive is a service of Copilot Consulting.