Re: some fixes to allow user roles in targeted policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 2004-08-14 at 14:19, Colin Walters wrote:
> I'm trying to create a restricted user domain with the targeted policy,
> e.g.:
> 
> full_user_role(test)
> 
> This turned up quite a number of issues.

It seems like this will just take you down the path of turning the
targeted policy into the strict policy.  So why not just use the strict
policy?

> Fourth, the user domain needs access to user_home_dir_t:dir.

Should be $1_home_dir_t, right?

> The fifth issue is access to /dev/pts.  The comment above the patch
> should explain things.  Is there a better solution here?

If you want any protection between users, you need the separate types on
the ptys (and ttys).  But as above, you are likely to increasingly find
yourself transforming the targeted policy into the strict policy to
achieve real separation, so why not just use the strict policy?

-- 
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux