>...and the boundaries between the types are pretty much set in
stone at
>this time - you can't
>easily change what roles can do - there's staff_r, sysadm_r, secadm_r,
>user_r, system_r,
>and that's it.
>
>
...unless you modify policy sources.
You're right. The problem isn't that RBAC isn't flexible - it's
_too_
flexible. I think it would be confusing to admins to write policy. Maybe
if we could create some sort of friendly app with the most-common macros
an admin could want to use, and their descriptions... I guess we're
moving in the right direction with those management apis...hmm