Thank for your suggestion, very useful for me !!
2014-05-18 17:40 GMT+07:00 Sven Vermeulen <sven.vermeulen@xxxxxxxxx>:
On Sat, May 17, 2014 at 04:26:09PM +0700, toản cù wrote:
> Hi all!Â
> I just researching policy in selinux, and I am facing an issue when> create new roles for user. I want to add roles for user.  look
> forward your help!
Hi Toản,
SELinux roles are defined through the SELinux policy, so in order to create
new roles, you need to create a SELinux policy module that contains the
proper statements.
With the reference policy, creating roles is not that hard. All that is
needed is a policy like the following (example for a postgresql
administration role):
#v+
policy_module(mypgsqladm, 1.0)
userdom_login_user_template(pgsqladm)
optional_policy(`
postgresql_admin(pgsqladm_t, pgsqladm_r)
')
#v-
The call to userdom_login_user_template() creates a role (pgsqladm_r in the
example) and user domain (pgsqladm_t in the example) that can be used as
prilary login type (hence the "login" in the template call).
There are other templates available as well, such as
userdom_base_user_template() for the "basic" role definitions,
userdom_unpriv_user_template() and userdom_admin_user_template() for
unprivileged and privileged roles, etc.
Once this policy module is built and loaded, you can use the generated user
domains and roles. You will need to update files in /etc/selinux/*/contexts,
such as
- default_type (where pgsqladm_r:pgsqladm_t needs to be added)
- default_contexts (where the pgsqladm_r related target types will need to
be added)
With these changes in place, just assign the role(s) to the users and you're
ready to go.
Wkr,
Sven Vermeulen
Mr.Toan-Cu Xuan
School of Electronics and Telecommunications
Hanoi University of Science and Technology
1 Dai Co Viet, Ha noi, Viet nam.
Phone: 01656228762
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
