On Mon, 2005-09-26 at 13:28 -0400, Ivan Gyurdiev wrote:
It does not... it has support for separating types of users from
types of users...
That is user separation, just not per-Linux user separation.
...and the boundaries between the types are pretty much set in stone
this time - you can't
easily change what roles can do - there's staff_r, sysadm_r, secadm_r,
and that's it.
...unless you modify policy sources.
I wish RBAC would be more flexible...but it isn't (at least not
DAC groups would probably be better for what you're trying to accomplish.
Depends on what he wants to accomplish. DAC cannot truly isolate users
in any mandatory sense.
>(Basically, in the 'targeted' policy, so many things will
>'user_u:object_r:unconfined_t' and 'system_u:object_r:unconfined_t'
>equivalent that you're not going to get anywhere useful....)
They're equivalent in strict policy as well. The user field of the
SELinux context is not really used at this time.
The particular example might not be good, but the user identity does
come into play in strict policy in bounding the set of roles (and thus
the set of domains).
National Security Agency