On Fri, 2005-05-06 at 08:04 -0400, Daniel J Walsh wrote: > Hein Coulier wrote: > > >hi, newby speaking here (totally lost in the selinux labyrinth). > > > >What i want to accomplish with selinux is the following : i want to allow > >different end-users (with different roles) to do something with some files. > >I'll give you an example : > > > >fileA : may be read by roleA and roleB > >fileB : may only be read by roleB ; audited > >fileC : may be read and changed by roleB ; audited > > > >I read several pdf's, read the o'reilly book, but i seem to be unable to > >achieve my goal. > >Help would be appreciated. > > > > > > > You may want to look at ACLs and Auditing rather than SELinux. ACLs are discretionary, so I don't think that will meet his need. Suggestion: 1) Convert your machine to strict policy (so that you have real user roles and domains), 2) Search the mailing list archives for discussions of how to add a new user role to the policy (e.g. see the full_user_role() macro and domains/user.te). Also, look at the recently added support for a separate security administrator role introduced by Dan. -- Stephen Smalley <sds@xxxxxxxxxxxxx> National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
