As was recommended to me, I'm sending this to the list. I was recommended to go to -devel, but this list seems a heck of a lot more appropriate, so here it is. Note that although I'm now subscribed I have delivery turned off, so CC me if you want a response. I check the web mail archives too, but I can't respond to messages posted there. (I'd love to add that ability, tho; a form to respond to any list mail using your subscribed mail address and account password... would be sweet.) Red Hat Bugzilla #120571 (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120571) I wrote a script and patch for adding /etc/roles support to SELinux. So, instead of needing to hack in m4 macros and botch the ability to upgrade sources with RPM, you can just edit /etc/roles and rebuild the policy nice and clean like. Still need to figure out how to tell the policy (or system utilities) what the default login role should be. A user with user_r and sysadm_r roles, for example, should not have sysadm_r as the default. The default_contexts files does this, but I'm not comfortable modifying that file with a script. Also, some tools like addrole and delrole would be nice, for modifying the /etc/roles file and automatically rebuilding/reloading the policy. useradd/userdel should also support this functionality. The silly seadduser command should also be fixed/removed; just make it so a flag to useradd gives a default role, and if the default role is omitted, don't add an /etc/roles entry. (Users not in /etc/roles wouldn't have an SELinux user ID, unless manually added to the policy sources.) Makes a heck of a lot more sense than a separate seuseradd command. I think there was a bugzilla entry regarding that, not sure what bug# though. Additionally, a command like "policy" or "selinux" for modifying various SELinux attributes would be great (for example, pull in the selinuxenabled command, and add something like "rebuild" or "load" as well for rebuilding and reloading the policy). Would make administration a lot easier and saner, which SELinux needs a lot of... -- Sean Middleditch <elanthis@xxxxxxxxxxxxxxx> AwesomePlay Productions, Inc.
