Stephen Smalley wrote:
On Fri, 2005-05-06 at 08:04 -0400, Daniel J Walsh wrote:
>Hein Coulier wrote:
>
>
>
>>hi, newby speaking here (totally lost in the selinux labyrinth).
>>
>>What i want to accomplish with selinux is the following : i want to allow
>>different end-users (with different roles) to do something with some files.
>>I'll give you an example :
>>
>>fileA : may be read by roleA and roleB
>>fileB : may only be read by roleB ; audited
>>fileC : may be read and changed by roleB ; audited
>>
>>I read several pdf's, read the o'reilly book, but i seem to be unable to
>>achieve my goal.
>>Help would be appreciated.
>>
>>
>>
>>
>>
>You may want to look at ACLs and Auditing rather than SELinux.
>
>
ACLs are discretionary, so I don't think that will meet his need.
Suggestion:
1) Convert your machine to strict policy (so that you have real user
roles and domains),
2) Search the mailing list archives for discussions of how to add a new
user role to the policy (e.g. see the full_user_role() macro and
domains/user.te). Also, look at the recently added support for a
separate security administrator role introduced by Dan.
Yes I realize that but handling things like this with MAC is not that
easy. Writing policy
where different user roles have R, RW,RWX, No read is not a strong suit
of MAC.
Dan
--