using selinux to control user access to files
Stephen Smalley
sds at tycho.nsa.gov
Fri May 6 12:03:16 UTC 2005
On Fri, 2005-05-06 at 08:04 -0400, Daniel J Walsh wrote:
> Hein Coulier wrote:
>
> >hi, newby speaking here (totally lost in the selinux labyrinth).
> >
> >What i want to accomplish with selinux is the following : i want to allow
> >different end-users (with different roles) to do something with some files.
> >I'll give you an example :
> >
> >fileA : may be read by roleA and roleB
> >fileB : may only be read by roleB ; audited
> >fileC : may be read and changed by roleB ; audited
> >
> >I read several pdf's, read the o'reilly book, but i seem to be unable to
> >achieve my goal.
> >Help would be appreciated.
> >
> >
> >
> You may want to look at ACLs and Auditing rather than SELinux.
ACLs are discretionary, so I don't think that will meet his need.
Suggestion:
1) Convert your machine to strict policy (so that you have real user
roles and domains),
2) Search the mailing list archives for discussions of how to add a new
user role to the policy (e.g. see the full_user_role() macro and
domains/user.te). Also, look at the recently added support for a
separate security administrator role introduced by Dan.
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the fedora-selinux-list
mailing list