some fixes to allow user roles in targeted policy
Stephen Smalley
sds at epoch.ncsc.mil
Mon Aug 16 12:56:02 UTC 2004
On Sat, 2004-08-14 at 14:19, Colin Walters wrote:
> I'm trying to create a restricted user domain with the targeted policy,
> e.g.:
>
> full_user_role(test)
>
> This turned up quite a number of issues.
It seems like this will just take you down the path of turning the
targeted policy into the strict policy. So why not just use the strict
policy?
> Fourth, the user domain needs access to user_home_dir_t:dir.
Should be $1_home_dir_t, right?
> The fifth issue is access to /dev/pts. The comment above the patch
> should explain things. Is there a better solution here?
If you want any protection between users, you need the separate types on
the ptys (and ttys). But as above, you are likely to increasingly find
yourself transforming the targeted policy into the strict policy to
achieve real separation, so why not just use the strict policy?
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list