On Tue, 10 May 2005 09:55:32 CDT, alex@xxxxxxxxxxxxxxx said: > > Best solution for me would be that rbac on userbase could be made available > > in targeted policy. > > I'm an total SELinux newbie (intend to improve on that), but yes, this > would be > nice to have feature if possible. In my work environmnt, we work with some > sensitive data, and we must have audit trail whenever some types of files are > touched (or we would fail external audits, which translates to lost jobs, > simple as that). Well, unfortunately, this is a "fish or cut bait" scenario. Targeted looks the way it does because all "normal userspace" gets dumped into one unconfined_t. If you want per-(user/role/etc) separation, you really have to go to some variant on "strict" - a *huge* part of the size of "strict" is dealing with all those annoying interactions between domains. If you want a user1_t and a user2_t, you almost have to support splitting tmp_t into a user1_tmp_t and a user2_tmp_t so user2 can't get into user1 via a tmp_t file. I suspect what you really want here is not "targeted" but "strict with a lot of the booleans set to loosen the policy somewhat".....
Attachment:
pgphr3vFKeqBe.pgp
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
