This is probably doomed to failure, because the targeted policy cuts a *lot*
of corners because it's not making any realistic attempt to protect legitimate
system users/types from each other. You really need to start with the 'strict'
policy - that has support for separating users.
It does not... it has support for separating types of users from other
types of users...
...and the boundaries between the types are pretty much set in stone at
this time - you can't
easily change what roles can do - there's staff_r, sysadm_r, secadm_r,
user_r, system_r,
and that's it.
I wish RBAC would be more flexible...but it isn't (at least not yet).
DAC groups would probably be better for what you're trying to accomplish.
(Basically, in the 'targeted' policy, so many things will treat
'user_u:object_r:unconfined_t' and 'system_u:object_r:unconfined_t' as being
equivalent that you're not going to get anywhere useful....)
They're equivalent in strict policy as well. The user field of the
SELinux context is not really used at this time.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
