Problems creating a user

Ivan Gyurdiev ivg2 at
Mon Sep 26 17:28:26 UTC 2005

>This is probably doomed to failure, because the targeted policy cuts a *lot*
>of corners because it's not making any realistic attempt to protect legitimate
>system users/types from each other.  You really need to start with the 'strict'
>policy - that has support for separating users.
It does not... it has support for separating types of users from other 
types of users...
...and the boundaries between the types are pretty much set in stone at 
this time - you can't
easily change what roles can do - there's staff_r, sysadm_r, secadm_r, 
user_r, system_r,
and that's it.

I wish RBAC would be more flexible...but it isn't (at least not yet).
DAC groups would probably be better for what you're trying to accomplish.

>(Basically, in the 'targeted' policy, so many things will treat
>'user_u:object_r:unconfined_t' and 'system_u:object_r:unconfined_t' as being
>equivalent that you're not going to get anywhere useful....)
They're equivalent in strict policy as well. The user field of the 
SELinux context is not really used at this time.

More information about the fedora-selinux-list mailing list