Re: Groups in the alternative user solution

[Stephen Smalley <sds@xxxxxxxxxxxxx>]

On Tue, 2005-06-28 at 13:34 -0400, Ivan Gyurdiev wrote:
> So, how will groups work.
> 
> In particular,
> 
> a user belongs to multiple groups, each of which
> may have a selinux user mapping, in addition to
> the user herself possibly having a corresponding
> selinux user. Also, there's the default mapping.
> 
> - How should the selection work?
> - What would be the useradd interface for mapping
> a user to a selinux user?
> - What would be the interface for mapping a group
> to a selinux user?

I'd actually suggest that we not try to map Unix/Linux groups to SELinux
users at all, and require explicit Linux user -> SELinux user mappings.
Unix groups and SELinux user identities serve very different purposes,
and I can't see a good reason to link them together (and definite danger
in doing so).  Better to require them to manage that mapping
separately.  

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.