On Thu, 1 Apr 2004, murphy pope wrote: > I've been struggling to understand some of this SELinux stuff so I can > explain it to other users. But I have my stupid-hat on these days. > > Why does SELinux use a separate user database? Why doesn't SELinux read > the /etc/passwd database instead of maintaining its own? Has anybody > ever said "hey, we've already got one database, things will get a whole > lot clearer if we invent another one instead"? SELinux has an independent user identity model, which provides for more rigorous identity based access control than standard Unix. e.g. you can change Unix user id, but not SELinux user id. The reason there are separate databases is that there is not a direct mapping between Unix users and SELinux users. Many users in /etc/passwd can be mapped to a single SELinux user for access control purposes (e.g. system_u). There also needs to be a way to map the user to a set of roles, so a separate database is needed anyway. > There seems to be some difference between a domain and a type, although > given the lack of documentation, I'm not convinced of that. This is unfortunately confusing. Under SELinux, domains are actually types: there is no difference. Use of the term domain, referring to the type associated with a process, stems from traditional TE models where domains and types are separate. > Why do we need useradd and seuseradd? Shouldn't useradd give me the > option to create an identity? Or better yet, shouldn't useradd create an > identity by default and give me the option to create a generic user > instead? An OS developer can probably answer this best. > Sorry to sound so negative, but this stuff is not ready for prime-time > and without some documentation, it never will be. Without good > documentation, you're gonna have to revert this whole project. When > something goes wrong, I don't know if it's a bug, or if it's my error, > or if it's working right and I just don't know what I'm doing. The documentation is improving, at least. Thanks for the feedback, we should probably add these questions to the FAQ. - James -- James Morris <jmorris@xxxxxxxxxx>
