Rob Visser wrote: > Hello, > > Is it possible to administer SELINUX users and RBAC stuff in LDAP? With RH > directory server? > It would be nice, since all the other stuff can be administered in LDAP. > > Rob Visser > We are working toward this goal. seusers is now used with libselinux which I believe is a mistake. I want to move the selection of the SELinux user and MLS Role into the login programs pam_selinux and sshd. RedHat is looking into integration with FreeIPA. The biggest problem we have now is how to select the correct seuser for a a machine. The following is a potential format for a seusers distributed file # Format # loginname;machine;service;selinuxuser;level # +name == group name system_u;*;*;system_u;s0-s0:c0.c1023 root;redsox.boston.redhat.com;*;unconfined_u;s0-s0:c0.c1023 dwalsh;people.redhat.com;*;xguest_u;s0 dwalsh;people.fedoraproject.com;*;xguest_u;s0 dwalsh;redline.boston.redhat.com;*;user_u;s0 dwalsh;redsox.boston.redhat.com;*;unconfined_u;s0-s0:c0.c1023 dwalsh;redsox.boston.redhat.com;ssh;guest_u;s0-s0:c0.c1023 +engineering;redsox;ssh;staff_u;s0-s0:c0.c1023 +engineering;*;ssh;staff_u;s0-s0:c0.c1023 +engineering;*;*;staff_u;s0-s0:c0.c1023 *;*;xdm;xguest_u;s0 *;*;*;guest_u;s0 We have come up with a couple of formats for the "best match", but this has to be easily understood by an administrator. Anyways this conversation should take place on the selinux <selinux@xxxxxxxxxxxxx> developer list > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
