-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/07/2013 10:20 AM, Leonidas Da Silva Barbosa wrote: > These patches provides support to a new tool in sepolicy (admin). The goal > here is to give an user the hability to create new SELinux users, named > here as users admin, using admin roles, e.g. secadm_r, logadm_r, dbadm_r, > etc. > > Since sepolicy also intends to be used to create admin roles, I believe > admin tool can be used to complement the creation of those roles. > > sepolicy admin, works creating admin users and linking a SELinux user > admin to UNIX LOGIN that can transit from staff_r to 'adm_r' through sudo. > > > A couple of quick comments on this. First, I don't want to require sepolicy to be run as root if at all possible. Generating scripts that need to be run as root would be fine as we do with sepolicy generate, or to use the dbus interface defined by sepolicy gui would be ok. Secondly If I am going to make changes to the system, I would like to make it easy to make changes to lots of systems. So how do I repeat these changes on multiple machines? Generating a named script that I could then copy and execute on multiple machines, seems attractive to me, also helps admin learn what is going on under the covers. Too much hard coded in the tool. We now have mechanisms to extract information about the range of categories available, we should use this. I would like to be able to create new admin roles/types on the fly. Something that would take a name, and multiple _admin interfaces. sepolicy generate --confined_admin -u staff_u -a apache -a mysql -n apachemysql Would generate policy for a mysql/apache admin, then can we draw this in to your tool. Or do we just enhance sepolicy generate to include some of the stuff you are trying to do. > ---- > > Leonidas Da Silva Barbosa (5): adding seadmin support adding changes to > sepolicy argparse, seadmin option Adding seadmin manpage Adding seadmin > manpage info into sepolicy.8 adding completion to seadmin feature > > policycoreutils/sepolicy/sepolicy-admin.8 | 40 +++++++++++ > .../sepolicy/sepolicy-bash-completion.sh | 18 ++++- > policycoreutils/sepolicy/sepolicy.8 | 5 ++ > policycoreutils/sepolicy/sepolicy.py | 52 ++++++++++++++ > policycoreutils/sepolicy/sepolicy/seadmin.py | 83 > ++++++++++++++++++++++ 5 files changed, 197 insertions(+), 1 deletion(-) > create mode 100644 policycoreutils/sepolicy/sepolicy-admin.8 create mode > 100644 policycoreutils/sepolicy/sepolicy/seadmin.py > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlKA8AEACgkQrlYvE4MpobNG7gCfdmBoJ2pJHWjOIBG3HTRVzQWM Y9AAn3gKJaMBEoz3h1qU9XLaHtz/oFGz =wDek -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
