using selinux to control user access to files
Daniel J Walsh
dwalsh at redhat.com
Fri May 6 13:19:24 UTC 2005
Stephen Smalley wrote:
>On Fri, 2005-05-06 at 08:04 -0400, Daniel J Walsh wrote:
>
>
>>Hein Coulier wrote:
>>
>>
>>
>>>hi, newby speaking here (totally lost in the selinux labyrinth).
>>>
>>>What i want to accomplish with selinux is the following : i want to allow
>>>different end-users (with different roles) to do something with some files.
>>>I'll give you an example :
>>>
>>>fileA : may be read by roleA and roleB
>>>fileB : may only be read by roleB ; audited
>>>fileC : may be read and changed by roleB ; audited
>>>
>>>I read several pdf's, read the o'reilly book, but i seem to be unable to
>>>achieve my goal.
>>>Help would be appreciated.
>>>
>>>
>>>
>>>
>>>
>>You may want to look at ACLs and Auditing rather than SELinux.
>>
>>
>
>ACLs are discretionary, so I don't think that will meet his need.
>Suggestion:
>1) Convert your machine to strict policy (so that you have real user
>roles and domains),
>2) Search the mailing list archives for discussions of how to add a new
>user role to the policy (e.g. see the full_user_role() macro and
>domains/user.te). Also, look at the recently added support for a
>separate security administrator role introduced by Dan.
>
>
>
Yes I realize that but handling things like this with MAC is not that
easy. Writing policy
where different user roles have R, RW,RWX, No read is not a strong suit
of MAC.
Dan
--
More information about the selinux
mailing list