[redhat-lspp] RBAC Roles
Karl MacMillan
kmacmillan at tresys.com
Tue Sep 20 12:47:34 UTC 2005
> -----Original Message-----
> From: Stephen Smalley [mailto:sds at tycho.nsa.gov]
> Sent: Tuesday, September 20, 2005 8:36 AM
> To: Karl MacMillan
> Cc: Daniel J Walsh; 'Steve Grubb'; 'lspp-list'
> Subject: RE: [redhat-lspp] RBAC Roles
>
> On Tue, 2005-09-20 at 08:29 -0400, Karl MacMillan wrote:
> > [kmacmillan at localhost ~]$ seinfo --users=root -x
> > root
> > system_r
> > user_r
> > sysadm_r
> >
> > You must provide a username that policy understands, as Steve mentions.
> It
> > wouldn't be hard to make it understand Linux usernames as well. Note
> that
> > you must be able to read the policy in order to run this utility (I'm
> > running this under targeted above).
>
> Hmm...looks like setools 2.1.2 isn't in rawhide yet, and you need it to
> deal with policy version 20. I get no output from the above command on
> a rawhide box, but rpm -q setools says 2.1.1-4. If I run seinfo on a
> policy.19 file, it works correctly.
>
I'd really like to see 2.1.2 in rawhide soon - Dan, we can get you an
updated rpm if you would like. Just let me know. Steve, there is no error
when you run this on rawhide, just a silent failure?
> BTW, I think we'll want the utility for this purpose to read the
> separate users configuration files (or more accurately, to use
> libsemanage to query) maintained under /etc/selinux/$SELINUXTYPE/users
> rather than directly reading the binary policy file, so that we don't
> have to allow full read access to the entire policy for this purpose.
>
I agree - and this tool should probably be based off of libselinux rather
than libapol.
Karl
------
Karl MacMillan
Tresys Technology
http://www.tresys.com
> --
> Stephen Smalley
> National Security Agency
More information about the redhat-lspp
mailing list