On Wed, 2004-04-07 at 13:42, Jeremy Katz wrote:
> We're going to have to do something about this anyway. NFS /home is not
> uncommon and there's no way to do full security contexts with NFS --
> it's just not in the protocol at all. And that doesn't even start to
> get into more bizarre things like AFS ;)
ssh.te already has an ifdef for nfs_home_dirs, which allows it to read
nfs_t:{dir file}. We could probably make that a bit more generic and
have a /etc/security/selinux/home_dir_context which if it exists, is
used by any program that would otherwise use a specialized type.
> And then I either have to type my password n times or use an ssh key or
> something else like that (or an expect script). But what happens if baz
> is down when I push my update? I then have to remember to go back and
> update it later when it comes back up. And that's with four machines.
> As you get to more and more machines, it gets increasingly less
> managable to do things like that.
Ok.
> At which point we're basically creating a duplicate of nis/ldap but with
> other bits thrown on top :/
Maybe one solution would be to have a little SELinux daemon that the
kernel talks to over netlink to determine user identity. This daemon
could then do things like talk to LDAP or whatever.
Attachment:
signature.asc
Description: This is a digitally signed message part
