I've missed a lot of history....is there already an accepted design for whether the user's home directory is created as multi-level or polymorphic, if the user is allowed to run at multiple sensitivity levels? How that setup would be changed if the user's clearance is later changed? Whether a .rc file created in the home directory by an app can be reused when the user starts the same app at a different sensitivity level?
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Russell Coker Sent: Thursday, May 04, 2006 6:32 AM To: [email protected] Subject: [redhat-lspp] semanage login -a vs useradd Currently you must run useradd before you run "semanage login -a" to create a SE Linux identity. Does this make sense? The SE Linux identity needs to be created first if we are to initially label the home directory with the correct label (which I think is a good thing). Also if we have a source of user account information such as LDAP being used then there is more possibility for a need to create identities before creating matching Unix accounts. Finally there is no real need to create the Unix account first. There is no harm done by creating the identity first, in fact if the Unix account is created with an enabled password before the identity is created then the user may login with inappropriate permissions. The next issue that derives from this is the creation of Unix accounts. I think it would be convenient to have a single program create Unix accounts with the SE Linux data. In fact having "semanage user -a", "semanage login -a" and "useradd" all combined into the one program seems beneficial to me. Among other benefits this would aid scripting by having only one error point and improve performance by having all SE Linux operations proceed under the one transaction. What do you think? -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
