using selinux to control user access to files

Stephen Smalley sds at
Fri May 6 13:17:15 UTC 2005

On Fri, 2005-05-06 at 09:19 -0400, Daniel J Walsh wrote:
> Yes I realize that but handling things like this with MAC is not that 
> easy.   Writing policy
> where different user roles have R, RW,RWX, No read is not a strong suit 
> of MAC.

For specific data files, it should be relatively straightforward; he
just needs to instantiate the roles via full_user_role(), define a few
new file types for the particular data he wants to restrict, and add
specific allow rules and auditallow rules between the new user domains
and the new file types.  I agree that a higher level language or tool
would make life simpler, but the mechanism is certainly capable of
supporting the need.

Stephen Smalley <sds at>
National Security Agency

More information about the fedora-selinux-list mailing list