Re: Alternative user management approach

[Casey Schaufler <casey@xxxxxxxxxxxxxxxx>]

--- Joshua Brindle <jbrindle@xxxxxxxxxx> wrote:


> The biggest challenge after this is labeling,
> how to label home directories (Probably should
> only be done at useradd time, or when you 
> log into a computer the first time with LDAP, the
> utilities will have to 
> be a bit smarter about labeling)

Unix MLS systems require that the home directory
be labeled upon creation, usually by the useradd
utility or the local equivalent, but sometimes
by hand. Spontainious creation of home directories
on first login was never on anyone's high priority
todo list, so it remains an unsolved problem.
There are systems that will automount your
home directory, but that requires MLS aware NFS.

Unix MLS systems keep a default label as well as
a clearance, using the default label for the user
as label for the home directory. It is of course
possible to muck things up by have a default label
that is not dominated by all labels in your
clearance, but most sysadmins figure that out
very quickly.

Of course, on Unix MLS systems all files have
labels attached, per the TCSEC requirements,
unless an entire file system in unlabeled in
which case all files are treated at the same
sensitivity. I don't know if y'all plan to
label all files for SELinux MLS or what you
might do instead.



Casey Schaufler
casey@xxxxxxxxxxxxxxxx

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.