Using group membership for role-based access
In larger environments, access controls are usually granted based on group membership. Group membership is easier to manage than individual permissions: just adding or removing users from a group automatically grants or revokes permissions, and administrators can easily find out which permission(s) a user will have based on the group membership.
How to do it…
In order to use group membership as a high-level method for assigning permissions, administrators need to take care of the following aspects:
- Add user(s) to the groups they should belong to:
~# gpasswd -a user1 dba ~# gpasswd -a user1 dev
- Assign the proper SELinux user to the group:
~# semanage login -s dbadm_u %dba - Restrict binaries and libraries ...
Get SELinux Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
