Currently you must run useradd before you run "semanage login -a" to create a SE Linux identity. Does this make sense?
The SE Linux identity needs to be created first if we are to initially label the home directory with the correct label (which I think is a good thing). Also if we have a source of user account information such as LDAP being used then there is more possibility for a need to create identities before creating matching Unix accounts. Finally there is no real need to create the Unix account first. There is no harm done by creating the identity first, in fact if the Unix account is created with an enabled password before the identity is created then the user may login with inappropriate permissions. The next issue that derives from this is the creation of Unix accounts. I think it would be convenient to have a single program create Unix accounts with the SE Linux data. In fact having "semanage user -a", "semanage login -a" and "useradd" all combined into the one program seems beneficial to me. Among other benefits this would aid scripting by having only one error point and improve performance by having all SE Linux operations proceed under the one transaction. What do you think? -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
