[redhat-lspp] LSPP Development Telecon 04/10/2006 Minutes

[Russell Coker]

On Mon, 2006-04-17 at 10:21 -0400, Steve Grubb wrote:
> On Monday 17 April 2006 09:24, Russell Coker wrote:
> > However audit administration requires root access, so now it seems to me
> > that we have a need for three accounts with UID==0, one for sysadm, one
> > for secadm, and one for auditadm.
> 
> Accounts or roles ? :)

So far we only have the option of passwords on accounts.

> > Are we really on the right track with this?
> 
> I think so, but I also wonder if we need another password database for roles. 
> For example, groups can have passwords. There may be situations where we need 
> separate passwords for each of the roles.

So you are suggesting something like the following:
login: root:staff_r:staff_t - password A.
newrole -r secadm_r - password B
newrole -r sysadm_r - password C
newrole -r auditadm_r - password D

login: root:secadm_r:secadm_t - password B I guess?

Keeping in mind that different login methods (/bin/login, sshd, and gdm)
can have different sets of permitted roles and different orders for such
roles there's a lot of potential for confusion.

Then there's the issue of how to specify which role you want.  The
multiple option was removed from pam_selinux.so.  Maybe we need a
replacement for this functionality.

Also this sort of thing would demand poly-instantiated home directories
(not that it's an inherently bad thing, just something that needs to be
done).

> > If so we will need to get useradd changed to support creating such
> > accounts.
> 
> Semanage should have functionality added to it for adding passwords to roles 
> if we need it.

Also where would we store such role passwords?  /etc/rshadow?