Stephen Smalley wrote:
On Fri, 2005-05-06 at 08:04 -0400, Daniel J Walsh wrote:Yes I realize that but handling things like this with MAC is not that easy. Writing policy
Hein Coulier wrote:
You may want to look at ACLs and Auditing rather than SELinux.hi, newby speaking here (totally lost in the selinux labyrinth).
What i want to accomplish with selinux is the following : i want to allow different end-users (with different roles) to do something with some files. I'll give you an example :
fileA : may be read by roleA and roleB fileB : may only be read by roleB ; audited fileC : may be read and changed by roleB ; audited
I read several pdf's, read the o'reilly book, but i seem to be unable to achieve my goal. Help would be appreciated.
ACLs are discretionary, so I don't think that will meet his need. Suggestion: 1) Convert your machine to strict policy (so that you have real user roles and domains), 2) Search the mailing list archives for discussions of how to add a new user role to the policy (e.g. see the full_user_role() macro and domains/user.te). Also, look at the recently added support for a separate security administrator role introduced by Dan.
where different user roles have R, RW,RWX, No read is not a strong suit of MAC.
Dan
--
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list