Stephen Smalley wrote:
On Fri, 2005-05-06 at 08:04 -0400, Daniel J Walsh wrote:
>Hein Coulier wrote:
>>hi, newby speaking here (totally lost in the selinux labyrinth).
>>What i want to accomplish with selinux is the following : i want to allow
>>different end-users (with different roles) to do something with some files.
>>I'll give you an example :
>>fileA : may be read by roleA and roleB
>>fileB : may only be read by roleB ; audited
>>fileC : may be read and changed by roleB ; audited
>>I read several pdf's, read the o'reilly book, but i seem to be unable to
>>achieve my goal.
>>Help would be appreciated.
>You may want to look at ACLs and Auditing rather than SELinux.
ACLs are discretionary, so I don't think that will meet his need.
1) Convert your machine to strict policy (so that you have real user
roles and domains),
2) Search the mailing list archives for discussions of how to add a new
user role to the policy (e.g. see the full_user_role() macro and
domains/user.te). Also, look at the recently added support for a
separate security administrator role introduced by Dan.
Yes I realize that but handling things like this with MAC is not that
easy. Writing policy
where different user roles have R, RW,RWX, No read is not a strong suit