On Mon, 2005-09-26 at 13:05 -0400, Valdis.Kletnieks@xxxxxx wrote: > On Mon, 26 Sep 2005 12:31:51 +0200, Armando Aznar said: > > I have enabled the targeted policy, so all the users run with the user > > "user_u" (then all the users have all the permissions in SELinux). > > > How could i create a user who run with the user "system_u" so this user dont > > have all the permissions? > > This is probably doomed to failure, because the targeted policy cuts a *lot* > of corners because it's not making any realistic attempt to protect legitimate > system users/types from each other. You really need to start with the 'strict' > policy - that has support for separating users. > > (Basically, in the 'targeted' policy, so many things will treat > 'user_u:object_r:unconfined_t' and 'system_u:object_r:unconfined_t' as being > equivalent that you're not going to get anywhere useful....) Just to affirm this point: Targeted policy is not suitable for user separation. Convert to strict policy if you want user separation. (Side bar: The only reason targeted policy even has multiple user identities and roles defined is for context compatibility with strict policy. If the policy language had a notion of user and role aliases to parallel the type alias construct, the users and roles would all just be aliased together for targeted policy.). -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
