Naming convention flames
Robert P. J. Day
rpjday at mindspring.com
Fri Apr 2 15:21:35 UTC 2004
On Fri, 2 Apr 2004, Rui Miguel Seabra wrote:
> On Fri, 2004-04-02 at 07:40 -0500, murphy pope wrote:
> > >Many users in /etc/passwd can be mapped to a single SELinux user for
> > access control purposes (e.g. system_u).
> >
> > Sounds like /etc/group to me.
>
> Ok, let's say you have users john, jane, doe, and poe
>
> then you have groups like:
> staff:x:n:john,jane,doe
>
> and file xpto:
>
> -rw-rw-r-- 1 john staff 3399 Mar 9 00:40 xpto
>
> How do you forbid doe from writing on xpto?
>
> That's an example of what SELinux brings you, in terms of permissions.
> You can explictly say xpto can't be written by doe.
on the other hand, why should you be *allowed* to prevent doe from
writing on xpto? you've explicitly made doe part of the staff group,
and you've explicitly given the staff group write permission on that
file. seems like these regular perms are doing exactly what they're
*supposed* to be doing, no?
as an aside, i *do* realize what point you're trying to make. but i've
seen too many contrived examples of folks complaining about the effect
of regular permission files when the example they use is perfectly
reasonable and doesn't represent a limitation in the first place.
unless i've totally misread what you were getting at.
rday
More information about the fedora-selinux-list
mailing list