[redhat-lspp] RBAC Roles
Daniel J Walsh
dwalsh at redhat.com
Tue Sep 20 14:15:24 UTC 2005
Karl MacMillan wrote:
>>-----Original Message-----
>>From: Stephen Smalley [mailto:sds at tycho.nsa.gov]
>>Sent: Tuesday, September 20, 2005 8:36 AM
>>To: Karl MacMillan
>>Cc: Daniel J Walsh; 'Steve Grubb'; 'lspp-list'
>>Subject: RE: [redhat-lspp] RBAC Roles
>>
>>On Tue, 2005-09-20 at 08:29 -0400, Karl MacMillan wrote:
>>
>>
>>>[kmacmillan at localhost ~]$ seinfo --users=root -x
>>> root
>>> system_r
>>> user_r
>>> sysadm_r
>>>
>>>You must provide a username that policy understands, as Steve mentions.
>>>
>>>
>>It
>>
>>
>>>wouldn't be hard to make it understand Linux usernames as well. Note
>>>
>>>
>>that
>>
>>
>>>you must be able to read the policy in order to run this utility (I'm
>>>running this under targeted above).
>>>
>>>
>>Hmm...looks like setools 2.1.2 isn't in rawhide yet, and you need it to
>>deal with policy version 20. I get no output from the above command on
>>a rawhide box, but rpm -q setools says 2.1.1-4. If I run seinfo on a
>>policy.19 file, it works correctly.
>>
>>
>>
>
>I'd really like to see 2.1.2 in rawhide soon - Dan, we can get you an
>updated rpm if you would like. Just let me know. Steve, there is no error
>when you run this on rawhide, just a silent failure?
>
>
>
Should be in tomorrow. Building now.
>>BTW, I think we'll want the utility for this purpose to read the
>>separate users configuration files (or more accurately, to use
>>libsemanage to query) maintained under /etc/selinux/$SELINUXTYPE/users
>>rather than directly reading the binary policy file, so that we don't
>>have to allow full read access to the entire policy for this purpose.
>>
>>
>>
>
>I agree - and this tool should probably be based off of libselinux rather
>than libapol.
>
>Karl
>
>------
>Karl MacMillan
>Tresys Technology
>http://www.tresys.com
>
>
>
>>--
>>Stephen Smalley
>>National Security Agency
>>
>>
>
>
>
>
--
More information about the redhat-lspp
mailing list