On Tue, 10 May 2005 09:55:32 CDT, alex(a)milivojevic.org said:
> Best solution for me would be that rbac on userbase could be
made available
> in targeted policy.
I'm an total SELinux newbie (intend to improve on that), but yes, this
would be
nice to have feature if possible. In my work environmnt, we work with some
sensitive data, and we must have audit trail whenever some types of files are
touched (or we would fail external audits, which translates to lost jobs,
simple as that).
Well, unfortunately, this is a "fish or cut bait" scenario. Targeted looks
the way it does because all "normal userspace" gets dumped into one
unconfined_t.
If you want per-(user/role/etc) separation, you really have to go to some
variant on "strict" - a *huge* part of the size of "strict" is dealing
with all
those annoying interactions between domains. If you want a user1_t and a
user2_t, you almost have to support splitting tmp_t into a user1_tmp_t and a
user2_tmp_t so user2 can't get into user1 via a tmp_t file.
I suspect what you really want here is not "targeted" but "strict with a
lot
of the booleans set to loosen the policy somewhat".....