On Mon, 2005-09-26 at 13:28 -0400, Ivan Gyurdiev wrote: > It does not... it has support for separating types of users from other > types of users... That is user separation, just not per-Linux user separation. > ...and the boundaries between the types are pretty much set in stone at > this time - you can't > easily change what roles can do - there's staff_r, sysadm_r, secadm_r, > user_r, system_r, > and that's it. ...unless you modify policy sources. > I wish RBAC would be more flexible...but it isn't (at least not yet). > DAC groups would probably be better for what you're trying to accomplish. Depends on what he wants to accomplish. DAC cannot truly isolate users in any mandatory sense. > >(Basically, in the 'targeted' policy, so many things will treat > >'user_u:object_r:unconfined_t' and 'system_u:object_r:unconfined_t' as being > >equivalent that you're not going to get anywhere useful....) > > > > > They're equivalent in strict policy as well. The user field of the > SELinux context is not really used at this time. The particular example might not be good, but the user identity does come into play in strict policy in bounding the set of roles (and thus the set of domains). -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
