-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you are trying to setup a least priv user look at roles/guest.te and xguest.te. They use userdom_restricted_user_template and userdom_restricted_xwindows_user_template Which are considered the least privs required for a login user. user_t/staff_t are full users. Meaning they should be allowed to do everything a user on a non SELinux system is without any Capabilities. If they require to execute an application that requires capabilities, a transition rule is defined. userdom_restricted_user_template gives you a user which can not use the network, any capabilities, no exec in homedir. No X. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkvhgjIACgkQrlYvE4MpobOFYACgvkn+rUDFJF0bHi8khPzBARoD KI4Amwc2kIXZV0hjQ2XepJISsEEyjQq4 =+kMy -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
