adding /etc/roles
Sean Middleditch
elanthis at awesomeplay.com
Thu Apr 15 20:46:41 UTC 2004
As was recommended to me, I'm sending this to the list. I was
recommended to go to -devel, but this list seems a heck of a lot more
appropriate, so here it is. Note that although I'm now subscribed I
have delivery turned off, so CC me if you want a response. I check the
web mail archives too, but I can't respond to messages posted there.
(I'd love to add that ability, tho; a form to respond to any list mail
using your subscribed mail address and account password... would be
sweet.)
Red Hat Bugzilla #120571
(https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120571)
I wrote a script and patch for adding /etc/roles support to SELinux. So,
instead of needing to hack in m4 macros and botch the ability to upgrade
sources with RPM, you can just edit /etc/roles and rebuild the policy
nice and clean like.
Still need to figure out how to tell the policy (or system utilities)
what the default login role should be. A user with user_r and sysadm_r
roles, for example, should not have sysadm_r as the default. The
default_contexts files does this, but I'm not comfortable modifying that
file with a script.
Also, some tools like addrole and delrole would be nice, for modifying
the /etc/roles file and automatically rebuilding/reloading the policy.
useradd/userdel should also support this functionality. The silly
seadduser command should also be fixed/removed; just make it so a flag
to useradd gives a default role, and if the default role is omitted,
don't add an /etc/roles entry. (Users not in /etc/roles wouldn't have
an SELinux user ID, unless manually added to the policy sources.) Makes
a heck of a lot more sense than a separate seuseradd command. I think
there was a bugzilla entry regarding that, not sure what bug# though.
Additionally, a command like "policy" or "selinux" for modifying various
SELinux attributes would be great (for example, pull in the
selinuxenabled command, and add something like "rebuild" or "load" as
well for rebuilding and reloading the policy). Would make
administration a lot easier and saner, which SELinux needs a lot of...
--
Sean Middleditch <elanthis at awesomeplay.com>
AwesomePlay Productions, Inc.
More information about the fedora-selinux-list
mailing list