SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: User home directory creation with useradd (rhbz#217441) This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] [ Replies ] From: Russell Coker <russell_at_coker.com.au> Date: Sat, 2 Dec 2006 11:21:43 +1100 On Saturday 02 December 2006 07:47, Linda Knippers <linda.knippers@hp.com> wrote: > > 1. Have an option for useradd to call semanage to add the selinux user, > > and then do the restorecon. > > I think useradd should be able to either create the selinux user or map the > linux user to an existing selinux user. Right now you can't create an > selinux user without a linux login I think that this is a bug. You should be able to create SE Linux users without Linux logins, if only for the case of a NIS/LDAP server being down at SE Linux user creation time. > but I think I ought to be able to create > the selinux users separate and them map one or more linux login to each > one, or have useradd create a unique linux user for me if I choose. And if > I don't choose, the linux user should end up with the correct home > directory based on the default selinux user. I think that part of the solution is to have semanage call useradd. > > 2. Have semanage do the equivalent of a restorecon when doing an > > add/modify (or just add) of SELinux user information. > > If the semanage is done after the useradd (could be weeks after), the > user could have files that live outside the home directory (I think > Dan pointed this out to me) so what files and directories would you > run restorecon on? Also for a MLS environment you can't just relabel the files unless the new sensitivity label dominates the old. For a strict policy system it's generally acceptable for relabel the files, but for MLS that won't work. > > 3. Have some kind of wrapper that does: > > i. useradd > > ii. semanage > > iii. restorecon > > I don't like the wrapper idea because if we can do it in a wrapper, > we can do it in useradd. Or semanage, or do it in both and give the sys-admin a choice. -- russell@coker.com.au http://etbe.blogspot.com/ My Blog http://www.coker.com.au/sponsorship.html Sponsoring Free Software development -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Fri 1 Dec 2006 - 19:21:29 EST This message: [ Message body ] Next message: Joshua Brindle: "Re: User home directory creation with useradd (rhbz#217441)" Previous message: Eamon Walsh: "Re: [PATCH 0/5] libselinux: labeling API for userspace object managers (try 2)" In reply to: Linda Knippers: "Re: User home directory creation with useradd (rhbz#217441)" Next in thread: Joshua Brindle: "Re: User home directory creation with useradd (rhbz#217441)" Reply: Joshua Brindle: "Re: User home directory creation with useradd (rhbz#217441)" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom