On Fri, 2009-06-19 at 15:51 -0400, Daniel J Walsh wrote: > On 06/19/2009 03:30 PM, Chris PeBenito wrote: > > On Fri, 2009-06-19 at 14:29 -0400, Daniel J Walsh wrote: > >> Basically this is the exact same file as the seusers file except it one > >> per Linux User where is the seusers file is one record per Linux User. > >> > >> If I have a distributed environment, I need to say stuff like > >> > >> engineers logging into people.redhat.com get guest_t:s0 > >> Admins logging in get unconfined_t:SystemLow-SystemHigh > >> > >> In addition on some machines dwalsh is an admin and on others he is a > >> peon. So using IPA we generate a mapping from MACHINE to User > >> > >> dwalsh on dwalsh_laptop gets unconfined_t > >> dwalsh on desktop gets user_t > >> dwalsh on people gets guest_t > >> > >> There is a potential use for service but it will probably default to * > >> for now. > > > > I don't have a problem with this idea, but I do have a problem with this > > not replacing the current seuser behavior. Having two ways to map linux > > users to selinux users is an administration nightmare. People will be > > confused about which one to use and you'll need to know precedence. > > What you describe above with the contents of each file just having a * > > service would be the same as the current seuser behavior. > > > Well I don't see administrators editing the new format, we have not even > used it yet, since IPA has not shipped this functionality yet. I don't see how IPA's usage matters. If we go this way, in the future there will be two ways for the seusers mapping, which is confusing. -- Chris PeBenito <pebenito@xxxxxxxxxx> Developer, Hardened Gentoo Linux Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
