Polyinstantiation that allows group access
Forrest Taylor
ftaylor at redhat.com
Tue Feb 26 23:06:05 UTC 2008
On Tue, 2008-02-26 at 23:37 +0100, Tomas Mraz wrote:
> On Tue, 2008-02-26 at 15:23 -0700, Forrest Taylor wrote:
> > Is there any way to allow polyinstantiation to give the same view to a
> > number of users? For example, I want to give users in the adm group
> > access to the same shared /tmp (really /tmp-adm) directory, users in the
> > wheel group access to a different shared /tmp (really /tmp-wheel), and
> > all other users access to their own individual /tmp. Is this possible?
> >
> > Of course, the more I think about this, the more I see reasons not to do
> > it such as conflicts--what if a user were in the adm and wheel groups?
> > For a single group, I can see excluding them from the polyinstantiated
> > directory entirely, but with several groups I cannot think of a way to
> > safely do this. Thoughts?
>
> There isn't such method in pam_namespace yet. The question is how would
> you resolve the conflicts. But in the pam-0.99.10.0 there is already
> possibility to share a polyinstantiated directory among users (using the
> shared flag). The directory would be polyinstantiated purely based on
> the context (or level) so the users with the same context will get the
> same instance.
Excellent, thanks for the quick reply! I think the shared flag would
work just fine. We could change the context of users that were in the
groups that needed to be separate and PAM would take care of the rest.
Thanks,
Forrest
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20080226/15ad88ba/attachment.sig>
More information about the fedora-selinux-list
mailing list