Problems creating a user
ivg2 at cornell.edu
Mon Sep 26 17:28:26 UTC 2005
>This is probably doomed to failure, because the targeted policy cuts a *lot*
>of corners because it's not making any realistic attempt to protect legitimate
>system users/types from each other. You really need to start with the 'strict'
>policy - that has support for separating users.
It does not... it has support for separating types of users from other
types of users...
...and the boundaries between the types are pretty much set in stone at
this time - you can't
easily change what roles can do - there's staff_r, sysadm_r, secadm_r,
and that's it.
I wish RBAC would be more flexible...but it isn't (at least not yet).
DAC groups would probably be better for what you're trying to accomplish.
>(Basically, in the 'targeted' policy, so many things will treat
>'user_u:object_r:unconfined_t' and 'system_u:object_r:unconfined_t' as being
>equivalent that you're not going to get anywhere useful....)
They're equivalent in strict policy as well. The user field of the
SELinux context is not really used at this time.
More information about the fedora-selinux-list