Problems creating a user

Stephen Smalley sds at
Mon Sep 26 17:25:14 UTC 2005

On Mon, 2005-09-26 at 13:28 -0400, Ivan Gyurdiev wrote:
> It does not... it has support for separating types of users from other 
> types of users...

That is user separation, just not per-Linux user separation.
> ...and the boundaries between the types are pretty much set in stone at 
> this time - you can't
> easily change what roles can do - there's staff_r, sysadm_r, secadm_r, 
> user_r, system_r,
> and that's it.

...unless you modify policy sources.

> I wish RBAC would be more flexible...but it isn't (at least not yet).
> DAC groups would probably be better for what you're trying to accomplish.

Depends on what he wants to accomplish.  DAC cannot truly isolate users
in any mandatory sense.  

> >(Basically, in the 'targeted' policy, so many things will treat
> >'user_u:object_r:unconfined_t' and 'system_u:object_r:unconfined_t' as being
> >equivalent that you're not going to get anywhere useful....)
> >  
> >
> They're equivalent in strict policy as well. The user field of the 
> SELinux context is not really used at this time.

The particular example might not be good, but the user identity does
come into play in strict policy in bounding the set of roles (and thus
the set of domains).

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list