On Fri, 2005-05-06 at 09:19 -0400, Daniel J Walsh wrote:
Yes I realize that but handling things like this with MAC is not that
easy. Writing policy
where different user roles have R, RW,RWX, No read is not a strong suit
of MAC.
For specific data files, it should be relatively straightforward; he
just needs to instantiate the roles via full_user_role(), define a few
new file types for the particular data he wants to restrict, and add
specific allow rules and auditallow rules between the new user domains
and the new file types. I agree that a higher level language or tool
would make life simpler, but the mechanism is certainly capable of
supporting the need.
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency