Problems creating a user

Ivan Gyurdiev ivg2 at cornell.edu
Mon Sep 26 17:28:26 UTC 2005


>This is probably doomed to failure, because the targeted policy cuts a *lot*
>of corners because it's not making any realistic attempt to protect legitimate
>system users/types from each other.  You really need to start with the 'strict'
>policy - that has support for separating users.
>  
>
It does not... it has support for separating types of users from other 
types of users...
...and the boundaries between the types are pretty much set in stone at 
this time - you can't
easily change what roles can do - there's staff_r, sysadm_r, secadm_r, 
user_r, system_r,
and that's it.

I wish RBAC would be more flexible...but it isn't (at least not yet).
DAC groups would probably be better for what you're trying to accomplish.

>(Basically, in the 'targeted' policy, so many things will treat
>'user_u:object_r:unconfined_t' and 'system_u:object_r:unconfined_t' as being
>equivalent that you're not going to get anywhere useful....)
>  
>
They're equivalent in strict policy as well. The user field of the 
SELinux context is not really used at this time.




More information about the fedora-selinux-list mailing list