On Wed, 2009-02-11 at 21:01 +0800, Dennis Wronka wrote: > Thanks. This info helped a lot. > So user_u is for regular users that are just supposed to do stuff with what > the system offers. Anything else, like installing stuff is loaded off to users > that are at least staff_u or above. > > It's something one has to get used to, especially the part of newrole-ing > first and afterwards using su. In Fedora (targeted policy) we use sudo to transition to root and privileged user domains. This has the advantage that one can delegate privileged tasks without having to share roots password. It also saves you from having to authenticate two times. Yes user_u is for users that should never be able to do privileged tasks. Staff_u can domain transition to more permissive user domains. > > -- > > This message was distributed to subscribers of the selinux mailing list. > > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx > > with the words "unsubscribe selinux" without quotes as the message. > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
