On Wed, 2013-11-13 at 19:35 +0100, Dominick Grift wrote: > On Wed, 2013-11-13 at 13:10 -0500, Daniel J Walsh wrote: > > > > > > Maybe a followup that describes RBAC. Not sure how the analogy would work > > though. > > > > Suggestions welcome. > > > > Dog Role, See Eye Dog Role, Rescue Dog Role. > > > > RBAC is always hard to describe especially when you start defining SELinux Users. > > > > Login User -> SELinux User -> roles -> Types. > > > > The Russian dolls model is the best I have come up with. > > > > > > Yes, that makes things a bit more complicated > > because if you want to fully explain it then you also get into the > concepts of "automatically transitioning" versus "manually changing" > > So for example you want to give the dog the discretion to eat the cat > food as the cat ( by associating the cat role (which in turn is > associated to the cat type) to the dog identity. > > Then if the dog wants to eat the cat food like the cat , he can simply > manually change to the cat role with associated cat type > > Or you could force the dog to only be able to eat cat food as the cat by > making dog automatically role and type transition on the main entry > point. That way he can only access cat food as a cat (LOL) > > By the way (nit pick): I do not think that cats and dog interact with cat and dog food respectively Interaction requires two active entities. dog and cat food are passive entities. So in my view dogs and cats operate on dog and cat food respectively instead -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
