Re: Alternative user management approach

[Ivan Gyurdiev <ivg2@xxxxxxxxxxx>]

> The biggest challenge after this is labeling, how to label home 
> directories 

How to label the home directories?
Will directories keep their role-dependent contexts?

Sounds like:

useradd---->
(add a linux user)
	-------> security_create_policydb_default()	
		(map file, load bools, load users, create policydb)

	-------> sepol_user_suser_map_file()
	(writes to user->suser map (file backend))

		--------> sepol_suser_get_defrole_file(suser)
		(gets def. context (and thus ROLE) for user's suser)

		--------> sepol_fscon_user_add()
		(writes user's file contexts based on this)
		(uses template...)

	-------> security_destroy_policydb();

suseradd----> 
(add a selinux user/class)
	
	-------> security_create_policydb_default()
		(map file, load bools, load users, create policydb)

	-------> sepol_suser_add_file()
	(sepol function to do that using file backend)
	(writes to suser->roles map)

		----------> sepol_suser_add_policy()
		(add suser to binary policy)

	-------> security_load_policydb();

	-------> security_destroy_policydb();


Please note that none of this addresses the speed issue.
A policydb still needs to be constructed for validation purposes.

However, it does address the scalability concern of not
loading every user into the kernel policy.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.