On Fri, 2004-04-02 at 10:21 -0500, Robert P. J. Day wrote: > On Fri, 2 Apr 2004, Rui Miguel Seabra wrote: > > > On Fri, 2004-04-02 at 07:40 -0500, murphy pope wrote: > > > >Many users in /etc/passwd can be mapped to a single SELinux user for > > > access control purposes (e.g. system_u). > > > > > > Sounds like /etc/group to me. > > > > Ok, let's say you have users john, jane, doe, and poe > > > > then you have groups like: > > staff:x:n:john,jane,doe > > > > and file xpto: > > > > -rw-rw-r-- 1 john staff 3399 Mar 9 00:40 xpto > > > > How do you forbid doe from writing on xpto? > > > > That's an example of what SELinux brings you, in terms of permissions. > > You can explictly say xpto can't be written by doe. > > on the other hand, why should you be *allowed* to prevent doe from > writing on xpto? you've explicitly made doe part of the staff group, > and you've explicitly given the staff group write permission on that > file. seems like these regular perms are doing exactly what they're > *supposed* to be doing, no? No. doe might be a junior staff member, for instance. Other instance I didn't say: How do you make poe be able to write to the file without making him a member of group staff or making the file world writable? Rui > unless i've totally misread what you were getting at. You must've missed the point of ACLs. This is very important in terms of security, and if I had this when I installed some systems a couple of years ago, I wouldn't need toying around with intermediate users to avoid direct +w permissions from some users to certain files that can't be +w for some others. Rui -- + No matter how much you do, you never do enough -- unknown + Whatever you do will be insignificant, | but it is very important that you do it -- Gandhi + So let's do it...? Please AVOID sending me WORD, EXCEL or POWERPOINT attachments. See http://www.fsf.org/philosophy/no-word-attachments.html
Attachment:
signature.asc
Description: This is a digitally signed message part