Running under diff. accounts or using SELinux
Colin Walters
walters at redhat.com
Wed May 19 12:32:03 UTC 2004
On Wed, 2004-05-19 at 06:55, Mikkel Kruse Johnsen wrote:
> Hi All
>
> What is the relation between a process running under a system account
> or under domains ?
There's almost no relation. However SELinux does have a concept of
"user identity" that is derived from the system accounts. The SELinux
user identity is restricted to a set of roles, each of which stands for
a set of domains. Thus there is a relationship, but not a very direct
or strong one :)
In the cases you talk about though, typically you wouldn't have a
SELinux user defined.
> Are these co-existing or can SELinux domains replace system accounts ?
Completely coexisting.
> Ex. can apache just use "root" as system account and use domains to
> rescrict it ?
Yes.
> Meaning do we need to have all these system account or can SELinux get
> rid of them ?
>
> Qmail is using 7 diff. system account, can I with SELinux just use
> "root" and have SELinux do the security !!!
Yes.
It's not recommended though - why throw away a level of security?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20040519/cd1e7d72/attachment.sig>
More information about the fedora-selinux-list
mailing list