On Mon, 2005-09-26 at 13:28 -0400, Ivan Gyurdiev wrote:
It does not... it has support for separating types of users from
other
types of users...
That is user separation, just not per-Linux user separation.
...and the boundaries between the types are pretty much set in stone
at
this time - you can't
easily change what roles can do - there's staff_r, sysadm_r, secadm_r,
user_r, system_r,
and that's it.
...unless you modify policy sources.
I wish RBAC would be more flexible...but it isn't (at least not
yet).
DAC groups would probably be better for what you're trying to accomplish.
Depends on what he wants to accomplish. DAC cannot truly isolate users
in any mandatory sense.
>(Basically, in the 'targeted' policy, so many things will
treat
>'user_u:object_r:unconfined_t' and 'system_u:object_r:unconfined_t'
as being
>equivalent that you're not going to get anywhere useful....)
>
>
They're equivalent in strict policy as well. The user field of the
SELinux context is not really used at this time.
The particular example might not be good, but the user identity does
come into play in strict policy in bounding the set of roles (and thus
the set of domains).
--
Stephen Smalley
National Security Agency