[redhat-lspp] semanage login -a vs useradd

[Russell Coker]

Currently you must run useradd before you run "semanage login -a" to
create a SE Linux identity.  Does this make sense?

The SE Linux identity needs to be created first if we are to initially
label the home directory with the correct label (which I think is a good
thing).  Also if we have a source of user account information such as
LDAP being used then there is more possibility for a need to create
identities before creating matching Unix accounts.

Finally there is no real need to create the Unix account first.  There
is no harm done by creating the identity first, in fact if the Unix
account is created with an enabled password before the identity is
created then the user may login with inappropriate permissions.

The next issue that derives from this is the creation of Unix accounts.
I think it would be convenient to have a single program create Unix
accounts with the SE Linux data.  In fact having "semanage user -a",
"semanage login -a" and "useradd" all combined into the one program
seems beneficial to me.  Among other benefits this would aid scripting
by having only one error point and improve performance by having all SE
Linux operations proceed under the one transaction.


What do you think?