[redhat-lspp] LSPP Development Telecon 12/12/2005 Minutes
Stephen Smalley
sds at tycho.nsa.gov
Mon Dec 19 13:53:59 UTC 2005
On Fri, 2005-12-16 at 18:53 -0600, Debora Velarde wrote:
> -----
> Roles
> -----
> script instead of using selinux mechanism
> because don't have option of using selinux mechanism
> need to define how we're going to do this composition with a script
Can someone elaborate on what this means? Options I see are:
- using the role dominance feature of the existing policy language, and
using SELinux roles as RBAC roles,
- using an entirely userspace construct for the role hierarchy and
generating SELinux policy from that hierarchy using some userspace tool
(which sounds like what you are describing), either mapping the RBAC
roles to SELinux roles or to SELinux user identities (which then are
authorized for SELinux roles via policy). Main issue then is ensuring
that the role hierarchy is properly enforced, by providing a strong
mapping between it and the underlying policy representation (which
should be possible).
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list