One other note on this topic: Most Fedora SELinux users are not maintaining policy/users at present for individual users (beyond system_u/user_u/root distinctions) due to the lack of integrated user management, so they cannot take full advantage of the SELinux user identity and user-role authorizations. setools and setools-gui provide some help in this area, but not if you are using a distributed user database like NIS or LDAP. As a consequence, the typical approach among older SELinux users of individually authorizing staff users for staff_r and sysadm_r is problematic for the typical Fedora SELinux user. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
