On Thu, Jul 24, 2008 at 9:05 PM, Stephen Smalley <stephen.smalley@xxxxxxxxx> wrote: > On Thu, 2008-07-24 at 14:22 -0400, Hasan Rezaul-CHR010 wrote: >> Hi All, >> >> Is there any way at all to map an entire Linux GROUP to an SELinux_user >> ?? >> >> For example if Linux User accounts (Admin1, Admin2, and Admin3), all >> belong to the Linux group "wadm". >> >> Is there a simple or tricky way to map the entire Linux group wadm -> >> to staff_u ? >> >> This way, any Linux user account that happens to be part of the "wadm" >> group would automatically be mapped to staff_u ? This way we don't have >> to execute several semanage commands to create all those individual >> mappings ? > > Not presently, but one could certainly implement such support in the > userland (pam_selinux + libselinux getseuserbyname). > I know that we and others have done this in the past, though our implementation at least is not really a general solution but something specific for one situation. A general solution would need to resolve what the semantics of the mapping would be including what to do when multiple groups match. Not really a problem, just requires some thought. Karl -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
