Naming convention flames

Stephen Smalley sds at epoch.ncsc.mil
Fri Apr 2 15:05:36 UTC 2004


On Thu, 2004-04-01 at 17:55, murphy pope wrote:
> I've been struggling to understand some of this SELinux stuff so I can
> explain it to other users.  But I have my stupid-hat on these days.

yum install selinux-doc
cd /usr/share/SELinux
ggv policy.pdf

In particular, see section 3.
Note to Dan:  Might it be a good idea to have selinux-doc also include
the HTML version of the reports?  The Makefile already supports building
HTML from the DocBook sources.

Of course, I assume you've already looked at the Fedora SELinux FAQ and
the externally developed sourceforge selinux HOWTOs/FAQs.

> Why does SELinux use a separate user database?  Why doesn't SELinux
> read the /etc/passwd database instead of maintaining its own?  Has
> anybody ever said "hey, we've already got one database, things will
> get a whole lot clearer if we invent another one instead"? 

Section 3.3 of policy.pdf.  

> There seems to be some difference between a domain and a type,
> although given the lack of documentation, I'm not convinced of that. 
> If they are different, who's idea was it to use the same naming
> convention for both?  Why not user_t and user_d?  Use _t to indicate a
> type and _d to indicate a domain.  Or do they have to be from the same
> namespace?  Does a type named user_t always exactly correspond to a
> domain named user_t?  If so, what's the difference between a domain
> and a type?

Section 3.1 of policy.pdf.  Likely also covered by the externall
developed HOWTOs/FAQs.
 
-- 
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency




More information about the fedora-selinux-list mailing list