Re: Are we on the wrong track?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I also agree with most things already said.

I would like to add that the way documentation is currently handled
involves too much copy + paste of almost meaningless descriptions, but I
haven't found a very good alternative either. (maybe adding a type
attribute to the param xml and generating a summary based on that could
work in the most common cases)

On 6/12/20 3:02 PM, Russell Coker wrote:
> Does staff_r even make sense when you could just use
>>> different MCS categories for different users?
>> Yes, as user_r cannot reach admin roles whereas staff_r can.
> The user identity has a permitted list of roles, you can have users who are 
> permitted user_r and sysadm_r and users who are only permitted user_r.  The 
> original benefit of staff_r was to protect staff from attacks by user_r 
> accounts, but we can do that protection with the identity based constraints.

I would propose replacing user based constraints with role based
constraints:
The user part of the context (normally) doesn't change after login, this
means that files edited by a staff_u user become inaccessible by anyone
else, even if sudo is used to change to staff_u:sysadm_r:sysadm_t, but
reducing the user based constraints for staff_u is undesirable.

Those are just my 2 cents,

bauen1






[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux