On Fri, 2013-11-08 at 09:28 -0200, Leonidas Da Silva Barbosa wrote: > > > The idea is nice, but a admin could script this up in a heartbeat > > > I agree, but the idea is make this more visible. Today we know we have > admin role, but to reach that some steps are need. Put into in a tool give > some highlight to the use of admin roles and user admins IMHO. There are probably more effective way's to make it visible > > > +# PATH to staff_u that will be base to new users created. > > > +STAFF_U = "staff_u" > > > > this is very generic and inflexible in my opinion. I would probably have > > implemented a configuration file where admin can set > > "default_admin_selinux_identity=", and additionally a > > admin_selinux_identity option to override the default > > > The idea was really to have only staff as start point, once staff_r is > already a isolate domain. I can see that that was the idea. I think the idea is sub-optimal > > So how are you going to specify then that joe is associated with webadm. > > and jane is associated with mailadm? > This work via sudo and also via link between LOGIN and the create > SELInux admin user. So, Joe can transit to webadm from > staff_u:staff_r:staff_t, to se_webadm_u:webadm_r:webadm_t. > I'm not sure if it was your point, please, let me know more about your > thoughts on that. That does not make sense to me. sewebadm_u has no place in this example. Its staff_u/staff_r/staff_t manually changing to staff_u/webadm_r/webadm_t via sudo if i read your code correctly The problem is that if you associate more than a single admin role to staff_u, that all the users associated with staff_u will have access to all those roles from a SELinux point of view This seems to me undesirable -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
