On Fri, 2 Apr 2004 08:55, murphy pope <pope_murphy@xxxxxxxxxxx> wrote: > Why does SELinux use a separate user database? Why doesn't SELinux read > the /etc/passwd database instead of maintaining its own? Has anybody > ever said "hey, we've already got one database, things will get a whole > lot clearer if we invent another one instead"? One thing that you have to consider is the use of NIS, LDAP, and other sources of account and password information. The SE Linux use of identities is compiled into the policy database which is loaded into the kernel and in normal system operation does not change. Having the SE Linux policy change according to a dynamic lookup of NIS or LDAP is not going to work well and may decrease security (NB in the standard policy /bin/login is not even permitted to read /etc/shadow). Having the SE Linux policy generation process involve sucking down all data about accounts is not necessarily possible. LDAP servers may be (and usually are) configured to limit the number of items returned in a single query for performance reasons (I once made a machine with 8G of RAM thrash until it was unusable with a single LDAP query because of not having such limits). If the LDAP result limit is less than the number of users then having SE Linux policy generation use the complete list of users would not be possible. The use of user_u identity is a good solution to these issues and the only solution for regular users. For users with higher access levels it should not be difficult to list them specially in the policy source files. > There seems to be some difference between a domain and a type, although > given the lack of documentation, I'm not convinced of that. If they are > different, who's idea was it to use the same naming convention for > both? Why not user_t and user_d? Use _t to indicate a type and _d to > indicate a domain. Or do they have to be from the same namespace? Does > a type named user_t always exactly correspond to a domain named user_t? > If so, what's the difference between a domain and a type? As James says, there is no difference, this is why they both end in _t. I agree that it can be confusing at the start, but it's not going to get changed at this time. > Why do we need useradd and seuseradd? Shouldn't useradd give me the > option to create an identity? Or better yet, shouldn't useradd create an > identity by default and give me the option to create a generic user > instead? useradd definitely should not create identities by default. If it did then we would have identities "ntp", "apache", "named", "xfs", etc. We don't want that. seuseradd is a good solution to this problem. It calls useradd (so /etc/default/useradd will be used in the regular manner), and it then does SE Linux stuff afterwards. I think that it is OK to have scripts that add system users continue to run as before, and have useradd work for adding user_u users, but require seuseradd for adding SE users. > Sorry to sound so negative, but this stuff is not ready for prime-time The version is Fedora Core 2 TEST 2. It's not expected to be fully ready for prime-time yet, we are working as fast as we can. One thing you may consider is joining #fedora-selinux on irc.freenode.net. I am usually on there and ready to answer questions. We want to build up the SE Linux skills of the community to help in solving such problems. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page