Problems creating a user
Ivan Gyurdiev
ivg2 at cornell.edu
Mon Sep 26 17:28:26 UTC 2005
>This is probably doomed to failure, because the targeted policy cuts a *lot*
>of corners because it's not making any realistic attempt to protect legitimate
>system users/types from each other. You really need to start with the 'strict'
>policy - that has support for separating users.
>
>
It does not... it has support for separating types of users from other
types of users...
...and the boundaries between the types are pretty much set in stone at
this time - you can't
easily change what roles can do - there's staff_r, sysadm_r, secadm_r,
user_r, system_r,
and that's it.
I wish RBAC would be more flexible...but it isn't (at least not yet).
DAC groups would probably be better for what you're trying to accomplish.
>(Basically, in the 'targeted' policy, so many things will treat
>'user_u:object_r:unconfined_t' and 'system_u:object_r:unconfined_t' as being
>equivalent that you're not going to get anywhere useful....)
>
>
They're equivalent in strict policy as well. The user field of the
SELinux context is not really used at this time.
More information about the fedora-selinux-list
mailing list