Karl MacMillan wrote: > On Thu, Jul 24, 2008 at 9:05 PM, Stephen Smalley > <stephen.smalley@xxxxxxxxx> wrote: >> On Thu, 2008-07-24 at 14:22 -0400, Hasan Rezaul-CHR010 wrote: >>> Hi All, >>> >>> Is there any way at all to map an entire Linux GROUP to an SELinux_user >>> ?? >>> >>> For example if Linux User accounts (Admin1, Admin2, and Admin3), all >>> belong to the Linux group "wadm". >>> >>> Is there a simple or tricky way to map the entire Linux group wadm -> >>> to staff_u ? >>> >>> This way, any Linux user account that happens to be part of the "wadm" >>> group would automatically be mapped to staff_u ? This way we don't have >>> to execute several semanage commands to create all those individual >>> mappings ? >> Not presently, but one could certainly implement such support in the >> userland (pam_selinux + libselinux getseuserbyname). >> > > I know that we and others have done this in the past, though our > implementation at least is not really a general solution but something > specific for one situation. > > A general solution would need to resolve what the semantics of the > mapping would be including what to do when multiple groups match. Not > really a problem, just requires some thought. > > Karl > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message. First get seusers out of libsemanage. libsemanage can be used to verify the selinux user exists and the level. Then use the same syntax as sudo, I believe group name is preceded by an @ sign. @engineering I will code up a patch for libselinux, but we need work to allow semanage to add this syntax. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
