On Thu, 10 Jun 2004 22:17, "Levine, Daniel J." <Daniel.Levine@xxxxxxxxxx> wrote: > Thanks, I managed to figure that out from the "Getting Started with SELinux > HOWTO" from the adding a user section. For a standalone system, I can see > how this is no big deal. Every time I add a user, I add the user to the > /etc/selinux/users file. But suppose I have 100 machines, I would need to > add it to 100 systems. This is why I use NIS to manage my password and > shadow files. I suppose one homegrown solution would be to put > /etc/selinux/users into an NIS map (users.byname) and periodically (every > half-hour perhaps) have a cron job perform a ypcat users.byname > > /etc/selinux/users. Is there a standard map one could use or a PAM module > that's aware of such needs. There is no standard way of doing this. Maybe you will set the standard if you do it first! ;) Having a cron job automatically generate and load a SE Linux policy has it's own issues as well. > Suppose I wasn't using something as old as NIS, like OpenLDAP, is there a > standard mechanism for putting this information into its databases? And if > not, should there be one? Probably there should. But we'll need to get an OID assigned for this. > Perhaps my problem is simpler to solve than this. All I really need is the > user ID of the person who logged in to the system. This identifies whose > account was used to perpetrate the illegal access. Could the user ID > number and user name be added to the log messages when violations occur? At the moment no. Maybe this is something for the audit facility rather than SE Linux kernel code. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
