We could use the seuser and/or MCS fields to restrict running the programs that enter the domains in question. Also now it's an issue of systemd access which changes things a bit, I haven't looked into this yet. On November 5, 2014 12:31:48 AM GMT+11:00, Sven Vermeulen <sven.vermeulen@xxxxxxxxx> wrote: >On Nov 4, 2014 12:46 PM, "Russell Coker" <russell@xxxxxxxxxxxx> wrote: >> >> The role separation seems to give no benefit apart from >sysadm_r/unconfined_r given that we have seuser based constraints and >MCS >labels to separate users and that they all use the same types. > >I disagree. Roles allow for restricting the domains that users can >transition into. I use them often for granting users "limited root". >For >instance dbadm_r for DBAs versus webadm_r for web app server admins. > >Wkr, > Sven Vermeulen > > >------------------------------------------------------------------------ > >_______________________________________________ >Selinux mailing list >Selinux@xxxxxxxxxxxxx >To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. >To get help, send an email containing "help" to >Selinux-request@xxxxxxxxxxxxx. -- Sent from my Samsung Galaxy Note 3 with K-9 Mail. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
