I'm curious why the ypcat cron with a make reload would present its own issues. I guess it must be a security context issue since I'm new to it. Is there a better alternative to visiting each machine manually and adding the line to /etc/selinux/users (assuming that's where it is on my Fedora Core 2 machine)? I see there's something about local policy changes being placed in /etc/security/selinux/src/policy/domains/misc/. Can I also put a users in there (or somewhere else). If so, I suppose I could have a central NFS auto-mounted location for my local users file. So at boot time, I have a nice sane policy (your default which maps all users to user user_u. But when everything is finished booting I have some additional information for my users wherever you tell me to add it. I guess my rc.local would then need to perform a make reload to incorporate this additional information. Would this be an easy and sustainable way to achieve what I want? Do you have any better ideas? I can't be the only person who wants to do this, can I? I feel like what I'm asking is not unreasonable. Is SELinux intended for single machines working in insecure environments? Daniel J. Levine Section Supervisor Johns Hopkins University Applied Physics Laboratory 443-778-3952 240-228-3952 -----Original Message----- From: Russell Coker [mailto:russell@xxxxxxxxxxxx] Sent: Thursday, June 10, 2004 9:46 AM To: fedora-selinux-list@xxxxxxxxxx Cc: Levine, Daniel J.; Stephen Smalley Subject: Re: Getting the user ID in log messages... On Thu, 10 Jun 2004 22:17, "Levine, Daniel J." <Daniel.Levine@xxxxxxxxxx> wrote: > Thanks, I managed to figure that out from the "Getting Started with SELinux > HOWTO" from the adding a user section. For a standalone system, I can see > how this is no big deal. Every time I add a user, I add the user to the > /etc/selinux/users file. But suppose I have 100 machines, I would need to > add it to 100 systems. This is why I use NIS to manage my password and > shadow files. I suppose one homegrown solution would be to put > /etc/selinux/users into an NIS map (users.byname) and periodically (every > half-hour perhaps) have a cron job perform a ypcat users.byname > > /etc/selinux/users. Is there a standard map one could use or a PAM module > that's aware of such needs. There is no standard way of doing this. Maybe you will set the standard if you do it first! ;) Having a cron job automatically generate and load a SE Linux policy has it's own issues as well. > Suppose I wasn't using something as old as NIS, like OpenLDAP, is there a > standard mechanism for putting this information into its databases? And if > not, should there be one? Probably there should. But we'll need to get an OID assigned for this. > Perhaps my problem is simpler to solve than this. All I really need is the > user ID of the person who logged in to the system. This identifies whose > account was used to perpetrate the illegal access. Could the user ID > number and user name be added to the log messages when violations occur? At the moment no. Maybe this is something for the audit facility rather than SE Linux kernel code. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
