On Nov 4, 2014 12:46 PM, "Russell Coker" <russell@xxxxxxxxxxxx> wrote:
>
> The role separation seems to give no benefit apart from sysadm_r/unconfined_r given that we have seuser based constraints and MCS labels to separate users and that they all use the same types.
I disagree. Roles allow for restricting the domains that users can transition into. I use them often for granting users "limited root". For instance dbadm_r for DBAs versus webadm_r for web app server admins.
Wkr,
Sven Vermeulen
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
