On Thu, 2012-05-24 at 17:17 +0200, Andreas Jaeger wrote: <trimmed>
AFAICS SELinux appears to be capable of implementing RBAC with MAC though it seems though that not even Redhat seems to makes use of that by default. Offering that with preconfigured roles for common tasks seems like a massive undertaking, extending YaST to assign roles to users in the user management modules is probably the easiest part.
Yeah, that's my fear as well. We need something practible. Fortunately we might not need to do everything at once ;)
So, my call for help again: Please give some proposals on what kind of roles/scenarios we want to offer - and be as precise on the different roles/scenarios as possible.
Indeed: don't try to do it all at once, Just add the granularity bit-by-bit. At the moment it is all-or-nothing (root or mortal) One candidate-role to start with is (using yast-terminology) "software" if you are member of "software" you should be able to perform everything related to it. Of course root is member of it, and if your system is installed as beginner/enduser/simpleton/.. all new users will be part of it. Second role is "networking" for configuring any network device Third for printing Fourth for daemons/services (in general) It that is accepted positively, you can add a finer level, for instance with networking you can split it up in fixed/wifi/wlan and within services split it up in dhcp/dns/ldap/... Other approach might be to start with one (for instance "software") and make that one fine-grained from the start: individual roles for -installing / uninstalling -updating -repo configuration And the next time, a second group. For instance "nfs", "samba", "iscsi" If you implement it step-by-step, it would solve Johannes objections: "I fear implementing roles becomes a huge piece of work - i.e. too much for now (in particular too much with the limted manpower behind our many YaST modules to implement roles therein). I wish to start with something really simple but to really start with implementing it right now and not discuss much longer about an ultimate final solution." Hans -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org