SELINUX admin with LDAP

Daniel J Walsh dwalsh at
Wed May 21 13:57:08 UTC 2008

Rob Visser wrote:
> Hello,
> Is it possible to administer SELINUX users and RBAC stuff in LDAP? With RH
> directory server?
> It would be nice, since all the other stuff can be administered in LDAP.
> Rob Visser
We are working toward this goal.

seusers is now used with libselinux which I believe is a mistake.

I want to move the selection of the SELinux user and MLS Role into the
login programs pam_selinux and sshd.

RedHat is looking into integration with FreeIPA.  The biggest problem we
have now is how to select the correct seuser for a a machine.

The following is a potential format for a seusers distributed file

# Format
# loginname;machine;service;selinuxuser;level
# +name == group name

We have come up with a couple of formats for the "best match", but this
has to be easily understood by an administrator.

Anyways this conversation should take place on the selinux
<selinux at> developer list
> ------------------------------------------------------------------------
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at

More information about the fedora-selinux-list mailing list