Problems creating a user

Stephen Smalley sds at
Mon Sep 26 17:19:51 UTC 2005

On Mon, 2005-09-26 at 13:05 -0400, Valdis.Kletnieks at wrote:
> On Mon, 26 Sep 2005 12:31:51 +0200, Armando Aznar said:
> > I have enabled the targeted policy, so all the users run with the user
> > "user_u" (then all the users have all the permissions in SELinux).
> > How could i create a user who run with the user "system_u" so this user dont
> > have all the permissions?
> This is probably doomed to failure, because the targeted policy cuts a *lot*
> of corners because it's not making any realistic attempt to protect legitimate
> system users/types from each other.  You really need to start with the 'strict'
> policy - that has support for separating users.
> (Basically, in the 'targeted' policy, so many things will treat
> 'user_u:object_r:unconfined_t' and 'system_u:object_r:unconfined_t' as being
> equivalent that you're not going to get anywhere useful....)

Just to affirm this point:  Targeted policy is not suitable for user
separation.  Convert to strict policy if you want user separation.

(Side bar: The only reason targeted policy even has multiple user
identities and roles defined is for context compatibility with strict
policy.  If the policy language had a notion of user and role aliases to
parallel the type alias construct, the users and roles would all just be
aliased together for targeted policy.).

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list