fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: SELinux integration in LDAP

Re: SELinux integration in LDAP

From: Daniel J Walsh <dwalsh_at_nospam>
Date: Tue Aug 17 2010 - 10:25:00 GMT
To: imsand@puzzle.ch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/17/2010 06:12 AM, imsand@puzzle.ch wrote:
> Hello,
>
> I’m referring to an older post (may 2008)
> http://lists.fedoraproject.org/pipermail/selinux/2008-May/009449.html
>
> The question is, if it’s possible to administer SELinux users and RBAC
> stuff (like roles) in LDAP?
> Are there some developments on this?
> What about FreeIPA, do they have some sample code / libraries that I could
> integrate in our company?
>
> In our company everything relies on LDAP. So I must have a solution for
> integrating SELinux in LDAP.
>
> Thanks in advance
> imsand
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
It would be fairly easy to integrate SELinux users and LDAP. We have
suggested people in the past to store this data in LDAP and then use
tools, perhaps in a cron job to extract the data and update the seusers
file. But the problem comes down to, how do you do seusers per machine?

My account on my laptop should be staff_u but my account on
people.fedoraproject.org or people.redhat.com should be guest_u. As an
example.

IPA is supposed to address this by adding Machine Identity. We had some
discussion on having sssd handle some of this also at LinuxCon.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxqY3wACgkQrlYvE4MpobNcdgCcCRs6ZXEML1W+bgu/RQMDqqoY
M6kAoNH7UUZ1bwc0Y+sLOkMTOAHtXajZ
=nVLL
-----END PGP SIGNATURE-----
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux