On Thu, 2004-04-01 at 17:55, murphy pope wrote: > I've been struggling to understand some of this SELinux stuff so I can > explain it to other users. But I have my stupid-hat on these days. yum install selinux-doc cd /usr/share/SELinux ggv policy.pdf In particular, see section 3. Note to Dan: Might it be a good idea to have selinux-doc also include the HTML version of the reports? The Makefile already supports building HTML from the DocBook sources. Of course, I assume you've already looked at the Fedora SELinux FAQ and the externally developed sourceforge selinux HOWTOs/FAQs. > Why does SELinux use a separate user database? Why doesn't SELinux > read the /etc/passwd database instead of maintaining its own? Has > anybody ever said "hey, we've already got one database, things will > get a whole lot clearer if we invent another one instead"? Section 3.3 of policy.pdf. > There seems to be some difference between a domain and a type, > although given the lack of documentation, I'm not convinced of that. > If they are different, who's idea was it to use the same naming > convention for both? Why not user_t and user_d? Use _t to indicate a > type and _d to indicate a domain. Or do they have to be from the same > namespace? Does a type named user_t always exactly correspond to a > domain named user_t? If so, what's the difference between a domain > and a type? Section 3.1 of policy.pdf. Likely also covered by the externall developed HOWTOs/FAQs. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
