Re: [PATCH 0/5] sepolicy admin feature

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/07/2013 10:20 AM, Leonidas Da Silva Barbosa wrote:
> These patches provides support to a new tool in sepolicy (admin). The goal
> here is to give an user the hability to create new SELinux users, named
> here as users admin, using admin roles, e.g. secadm_r, logadm_r, dbadm_r,
> etc.
> 
> Since sepolicy also intends to be used to create admin roles, I believe 
> admin tool can be used to complement the creation of those roles.
> 
> sepolicy admin, works creating admin users and  linking a SELinux user
> admin to UNIX LOGIN that can transit from staff_r to 'adm_r' through sudo.
> 
> 
> 
A couple of quick comments on this. First, I don't want to require sepolicy to
be run as root if at all possible.  Generating scripts that need to be run as
root would be fine as we do with sepolicy generate, or to use the dbus
interface defined by sepolicy gui would be ok.


Secondly If I am going to make changes to the system, I would like to make it
easy to make changes to lots of systems.  So how do I repeat these changes on
multiple machines?

Generating a named script that I could then copy and execute on multiple
machines, seems attractive to me, also helps admin learn what is going on
under the covers.

Too much hard coded in the tool.  We now have mechanisms to extract
information about the range of categories available, we should use this.

I would like to be able to create new admin roles/types on the fly.

Something that would take a name, and multiple _admin interfaces.

sepolicy generate --confined_admin -u staff_u -a apache -a mysql -n apachemysql

Would generate policy for a mysql/apache admin, then can we draw this in to
your tool.

Or do we just enhance sepolicy generate to include some of the stuff you are
trying to do.



> ----

> 
> Leonidas Da Silva Barbosa (5): adding seadmin support adding changes to
> sepolicy  argparse, seadmin option Adding seadmin manpage Adding seadmin
> manpage info into sepolicy.8 adding completion to seadmin feature
> 
> policycoreutils/sepolicy/sepolicy-admin.8          | 40 +++++++++++ 
> .../sepolicy/sepolicy-bash-completion.sh           | 18 ++++- 
> policycoreutils/sepolicy/sepolicy.8                |  5 ++ 
> policycoreutils/sepolicy/sepolicy.py               | 52 ++++++++++++++ 
> policycoreutils/sepolicy/sepolicy/seadmin.py       | 83
> ++++++++++++++++++++++ 5 files changed, 197 insertions(+), 1 deletion(-) 
> create mode 100644 policycoreutils/sepolicy/sepolicy-admin.8 create mode
> 100644 policycoreutils/sepolicy/sepolicy/seadmin.py
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKA8AEACgkQrlYvE4MpobNG7gCfdmBoJ2pJHWjOIBG3HTRVzQWM
Y9AAn3gKJaMBEoz3h1qU9XLaHtz/oFGz
=wDek
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux