using selinux to control user access to files

Stephen Smalley sds at
Fri May 6 12:03:16 UTC 2005

On Fri, 2005-05-06 at 08:04 -0400, Daniel J Walsh wrote:
> Hein Coulier wrote:
> >hi, newby speaking here (totally lost in the selinux labyrinth).
> >
> >What i want to accomplish with selinux is the following : i want to allow
> >different end-users (with different roles) to do something with some files.
> >I'll give you an example :
> >
> >fileA : may be read by roleA and roleB
> >fileB : may only be read by roleB ; audited
> >fileC : may be read and changed by roleB ; audited
> >
> >I read several pdf's, read the o'reilly book, but i seem to be unable to
> >achieve my goal.
> >Help would be appreciated.
> >
> >  
> >
> You may want to look at ACLs and Auditing rather than SELinux.

ACLs are discretionary, so I don't think that will meet his need.
1) Convert your machine to strict policy (so that you have real user
roles and domains),
2) Search the mailing list archives for discussions of how to add a new
user role to the policy (e.g. see the full_user_role() macro and
domains/user.te).  Also, look at the recently added support for a
separate security administrator role introduced by Dan.

Stephen Smalley <sds at>
National Security Agency

More information about the fedora-selinux-list mailing list