On Sat, 2004-08-14 at 14:19, Colin Walters wrote: > I'm trying to create a restricted user domain with the targeted policy, > e.g.: > > full_user_role(test) > > This turned up quite a number of issues. It seems like this will just take you down the path of turning the targeted policy into the strict policy. So why not just use the strict policy? > Fourth, the user domain needs access to user_home_dir_t:dir. Should be $1_home_dir_t, right? > The fifth issue is access to /dev/pts. The comment above the patch > should explain things. Is there a better solution here? If you want any protection between users, you need the separate types on the ptys (and ttys). But as above, you are likely to increasingly find yourself transforming the targeted policy into the strict policy to achieve real separation, so why not just use the strict policy? -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency