On Thu, 2004-10-14 at 12:02, James Morris wrote: > I don't know, I just wanted to restore what I thought was normal behavior. Separate roles per user were never part of the example policy. It is true that common practice prior to and outside of the Fedora SELinux implementation is to at least maintain separate entries in policy/users for users authorized for staff_r and sysadm_r, and optionally to maintain separate entries for users authorized for user_r to provide stronger user accountability even though they had the same permissions. > So even in strict policy now, all normal users are user_u:user_r:user_t ? That's the default. You can disable user_canbe_sysadm and explicitly authorize users for staff_r/sysadm_r/system_r for better security. Then, user_r users cannot use su/sudo/userhelper to gain privileges, and access to sysadm_r is entirely governed by policy. That doesn't require creating separate roles per user. But the lack of integration of existing user databases and tools with the SELinux users database makes it difficult to disable user_canbe_sysadm by default. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
