On Wednesday 26 March 2008 19:46, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > I am not sure where this is going, but I believe that separation based > on role in the home directory is a mistake. It assumes that the home > directory will always be used by the same user with the same role. And > will not work when you have a network file system that supports labels. > > In Red Hat I can login to people.redhat.com people.fedoraproject.com > which I should use the guest_r. While logging into my laptop I would be > unconfined_t and on test machines I might get staff_r or user_r. All of > them would use the same homedirectory. So how would this work in this > environment? If you have the same home directory contents (including .login, .bashrc, and equivalent files) and you can execute programs from the home directory, then how can you usefully have roles which are really different on different machines? You could for example have guest_r on machine A mapping to sysadm_r on machine B (which I believe bears some similarity to the reclassification of documents when going between certain military organisations). The idea of a network filesystem having the same labels on all machines where it is mounted even when there are differences in policy and/or user rights on those machines makes no sense to me. -- russell@xxxxxxxxxxxx http://etbe.coker.com.au/ My Blog http://www.coker.com.au/sponsorship.html Sponsoring Free Software development -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
