On 05/14/14 18:10, Daniel J Walsh wrote:
As far as roles/type combinations, most system roles get assigned the system_r role. This is the vast majority of role/type combination. seinfo -rsystem_r -x | wc -l 776 User roles are assigned based on the _run interfaces, and are built into higher level interfaces to get assigned automatically when you define a new user_r as a user. seinfo -ruser_r -x | wc -l 175 seinfo -rguest_r -x | wc -l 95
Since the role has a set of allowed type it acts as an abstraction between a new user and the types; simply assigning a user a certain role is enough to define the allowed types a process can have under the user.
Since I don't know M4 macros, I would request you to clarify 1 more question -- when a new type is defined, the macros are used to define which roles will this new type be allowed in? Or is it the other way around -- the definition of one of the role is modified so as to include this new type?
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
