>>SELinux Mailing List

Contents

Overview

What's New

Frequently Asked Questions

Background

Documentation

License

Download

Participating

Mail List

Archive Summary

Archive by Thread

Archive by Author

Archive by Date

Archive by Subject

Remaining Work

Contributors

Related Work

Press Releases

Re: General Users

From: Shaun Savage <savages_at_pcez.com>
Date: Tue, 15 Jan 2002 15:38:32 -0800

Westerman, Mark wrote:

To sum it up you want dynamic user add or daily policy update.

here is a kluge idea:
create a new push/pull program to down load the policy daily, using what ever security you need.
create a policy to allow this program to load the new policy. here again you define the security needed.
create a script to generate the "user" file and make the new policy ready to send

now the get_user_sids would work in getting the default context/sid

The problem here is this push/pull program would need to be protected. by selinux policy and encryption.

The better way would be to allow dynamic user add. When a user logins in, the nis information sent back to the client has a selinux group. this selinux group allows a user different user rights but the policy lookup is dependent on the group and user. group_sid + dymanic_user = sid

user_group:user_r:user_t where user is the user name and group is the group name.

user = zot and group = student
zot_student:user_r:user_t
thr group 'student' is defined in the policy.

This would require new syscalls, sid= new_user(name, group, context), and del_user(sid)

Shaun

>I am not worried about user Profile Management or any type
>of group management.
>
>The issues is the actual SELinux policy management.
>When you create the policy from the policy
>rules the binary file is store in /ss_policy. To add a
>user to the system now you must:
> 1. Add the user to the system
> 2. Add the user to the file SELinux/policy/users
> user xxxx roles { user_r };
> 3. Rebuild the policy file.
> make install
> 4. Load the new policy into the kernel or reboot.
> load_policy /ss_policy
> 5. Add the user to the /etc/security/default_context
> 6. Add the user to the /etc/security/cron_context
>
>
>Some of the problems I will have with this type of implementation is
> 1. I do not believe that the load_policy will be allowed on the
> general workstation (security reasons) . That leaves only reboot.
> 2. Rebuild the policy file for hundred workstation is not a feasible
>
> implementation.
> 3. The policy files will the same for each workstations so a push of
> the policy files is ok. (this will be performed via encryption)
> 4. As stated early password will be distributed via NIS (legacy
>reasons
> not an option to change).
>
>Any more Ideas or suggestions would be greatly appreciated
>
>Mark Westerman
>
>--
>You have received this message because you are subscribed to the selinux list.
>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>the words "unsubscribe selinux" without quotes as the message.
>
>

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Received on Tue 15 Jan 2002 - 19:10:07 EST

This message: [ Message body ]
Next message: Donald Kasper: "Re: General Users"
Previous message: Bognar Attila: "Redhat 7.2 + selinux-2001121010.tgz"
In reply to: Westerman, Mark: "Re: General Users"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:26 EDT