Naming convention flames

James Morris jmorris at redhat.com
Fri Apr 2 04:22:25 UTC 2004 

On Thu, 1 Apr 2004, murphy pope wrote:

> I've been struggling to understand some of this SELinux stuff so I can
> explain it to other users.  But I have my stupid-hat on these days.
> 
> Why does SELinux use a separate user database?  Why doesn't SELinux read
> the /etc/passwd database instead of maintaining its own?  Has anybody
> ever said "hey, we've already got one database, things will get a whole
> lot clearer if we invent another one instead"? 

SELinux has an independent user identity model, which provides for more
rigorous identity based access control than standard Unix.  e.g. you can 
change Unix user id, but not SELinux user id.

The reason there are separate databases is that there is not a direct
mapping between Unix users and SELinux users.  Many users in /etc/passwd
can be mapped to a single SELinux user for access control purposes (e.g.
system_u).  There also needs to be a way to map the user to a set of 
roles, so a separate database is needed anyway.

> There seems to be some difference between a domain and a type, although
> given the lack of documentation, I'm not convinced of that.

This is unfortunately confusing.  Under SELinux, domains are actually
types: there is no difference.  Use of the term domain, referring to the
type associated with a process, stems from traditional TE models where 
domains and types are separate.

> Why do we need useradd and seuseradd?  Shouldn't useradd give me the
> option to create an identity? Or better yet, shouldn't useradd create an
> identity by default and give me the option to create a generic user
> instead?

An OS developer can probably answer this best.

> Sorry to sound so negative, but this stuff is not ready for prime-time
> and without some documentation, it never will be.  Without good
> documentation, you're gonna have to revert this whole project. When
> something goes wrong, I don't know if it's a bug, or if it's my error,
> or if it's working right and I just don't know what I'm doing.

The documentation is improving, at least.

Thanks for the feedback, we should probably add these questions to the 
FAQ.


- James
-- 
James Morris
<jmorris at redhat.com>

More information about the fedora-selinux-list mailing list