On Fri, 2005-05-06 at 09:19 -0400, Daniel J Walsh wrote: > Yes I realize that but handling things like this with MAC is not that > easy. Writing policy > where different user roles have R, RW,RWX, No read is not a strong suit > of MAC. For specific data files, it should be relatively straightforward; he just needs to instantiate the roles via full_user_role(), define a few new file types for the particular data he wants to restrict, and add specific allow rules and auditallow rules between the new user domains and the new file types. I agree that a higher level language or tool would make life simpler, but the mechanism is certainly capable of supporting the need. -- Stephen Smalley <sds@xxxxxxxxxxxxx> National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
