>>SELinux Mailing List: by thread

• Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

From: Lonnie Cumberland <lonnie_at_outstep.com>
subject: Adding Accounts
Date: Wed, 23 Jan 2002 08:28:55 -0500 (EST)

• This message: [ Message body ]
• Next message: Stephen Smalley: "Re: switching between SE Linux utils - kernel versions ? ... also ntp"
• Previous message: Russell Coker: "Re: devfs_contexts"
• Next in thread: Stephen Smalley: "Re: Adding Accounts"
• Reply: Stephen Smalley: "Re: Adding Accounts"

Hello All,

Hope that you are all doing well today.

I was just wondering about adding new user accounts, ok.

With standard Linux we just do "useradd", but with SELinux I had to edit some files by hand before I did the "make quickinstall"

I am guessing that ran the "make relabel" which generated the security policy.

Is there an easier way to add users now that I have SELinux installed and running?

Cheers,
Lonnie

-- 
 Lonnie Cumberland
 OutStep Technologies Incorporated
 (313) 832-7366

 URL: http://www.outstep.com
 EMAIL: Lonnie@OutStep.com
      : Lonnie_Cumberland@yahoo.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

From: Stephen Smalley <sds_at_tislabs.com>
subject: Re: Adding Accounts
Date: Wed, 23 Jan 2002 09:38:21 -0500 (EST)

• This message: [ Message body ]
• Next message: forrest whitcher: "Re: switching between SE Linux utils - kernel versions ? ... also ntp"
• Previous message: Stephen Smalley: "Re: devfs_contexts"
• In reply to: Lonnie Cumberland: "Adding Accounts"

On Wed, 23 Jan 2002, Lonnie Cumberland wrote:

> Is there an easier way to add users now that I have SELinux installed
> and running?

At present, to add new users that are recognized by the SELinux policy, you must add an entry for the user to policy/users and reload the policy (run 'make load' in the policy directory), and you must add contexts for the user to the /etc/security/{default_context,cron_context} files. The need for per-user entries in the /etc/security files will go away once we migrate to a new set of libsecure functions (see the /etc/security/default_context vs. /etc/security/default_contexts thread on the mailing list), pending on someone taking the time to finish that work.

However, that will still leave the policy/users file. Mark Westerman suggested adding a general unprivileged user to the SELinux policy that can be used for all unspecified users, and has been working on a patch to implement support for such a user - see the General Users thread on the mailing list. This will work as long as you are ok with merely mapping all such users to the same set of authorized roles (i.e. you do not need the policy to separate such users) and you do not care about per-user accountability for such users. Otherwise, you will need to update policy/users and reload the policy for new users.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com







--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

• Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:54 EDT