Naming convention flames

Russell Coker russell at coker.com.au
Fri Apr 2 04:44:52 UTC 2004


On Fri, 2 Apr 2004 08:55, murphy pope <pope_murphy at hotmail.com> wrote:
> Why does SELinux use a separate user database?  Why doesn't SELinux read
> the /etc/passwd database instead of maintaining its own?  Has anybody
> ever said "hey, we've already got one database, things will get a whole
> lot clearer if we invent another one instead"?

One thing that you have to consider is the use of NIS, LDAP, and other sources 
of account and password information.

The SE Linux use of identities is compiled into the policy database which is 
loaded into the kernel and in normal system operation does not change.

Having the SE Linux policy change according to a dynamic lookup of NIS or LDAP 
is not going to work well and may decrease security (NB in the standard 
policy /bin/login is not even permitted to read /etc/shadow).

Having the SE Linux policy generation process involve sucking down all data 
about accounts is not necessarily possible.  LDAP servers may be (and usually 
are) configured to limit the number of items returned in a single query for 
performance reasons (I once made a machine with 8G of RAM thrash until it was 
unusable with a single LDAP query because of not having such limits).  If the 
LDAP result limit is less than the number of users then having SE Linux 
policy generation use the complete list of users would not be possible.

The use of user_u identity is a good solution to these issues and the only 
solution for regular users.  For users with higher access levels it should 
not be difficult to list them specially in the policy source files.

> There seems to be some difference between a domain and a type, although
> given the lack of documentation, I'm not convinced of that.  If they are
> different, who's idea was it to use the same naming convention for
> both?  Why not user_t and user_d?  Use _t to indicate a type and _d to
> indicate a domain.  Or do they have to be from the same namespace?  Does
> a type named user_t always exactly correspond to a domain named user_t?
> If so, what's the difference between a domain and a type?

As James says, there is no difference, this is why they both end in _t.  I 
agree that it can be confusing at the start, but it's not going to get 
changed at this time.

> Why do we need useradd and seuseradd?  Shouldn't useradd give me the
> option to create an identity? Or better yet, shouldn't useradd create an
> identity by default and give me the option to create a generic user
> instead?

useradd definitely should not create identities by default.  If it did then we 
would have identities "ntp", "apache", "named", "xfs", etc.  We don't want 
that.

seuseradd is a good solution to this problem.  It calls useradd 
(so /etc/default/useradd will be used in the regular manner), and it then 
does SE Linux stuff afterwards.  I think that it is OK to have scripts that 
add system users continue to run as before, and have useradd work for adding 
user_u users, but require seuseradd for adding SE users.

> Sorry to sound so negative, but this stuff is not ready for prime-time

The version is Fedora Core 2 TEST 2.  It's not expected to be fully ready for 
prime-time yet, we are working as fast as we can.

One thing you may consider is joining #fedora-selinux on irc.freenode.net.  I 
am usually on there and ready to answer questions.  We want to build up the 
SE Linux skills of the community to help in solving such problems.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



More information about the fedora-selinux-list mailing list