Naming convention flames

Rui Miguel Seabra rms at 1407.org
Fri Apr 2 15:36:33 UTC 2004 

On Fri, 2004-04-02 at 10:21 -0500, Robert P. J. Day wrote:
> On Fri, 2 Apr 2004, Rui Miguel Seabra wrote:
> 
> > On Fri, 2004-04-02 at 07:40 -0500, murphy pope wrote:
> > > >Many users in /etc/passwd can be mapped to a single SELinux user for
> > > access control purposes (e.g. system_u).  
> > > 
> > > Sounds like /etc/group to me.  
> > 
> > Ok, let's say you have users john, jane, doe, and poe
> > 
> > then you have groups like:
> > staff:x:n:john,jane,doe
> > 
> > and file xpto:
> > 
> > -rw-rw-r--  1 john staff 3399 Mar  9 00:40 xpto
> > 
> > How do you forbid doe from writing on xpto?
> > 
> > That's an example of what SELinux brings you, in terms of permissions.
> > You can explictly say xpto can't be written by doe.
> 
> on the other hand, why should you be *allowed* to prevent doe from
> writing on xpto?  you've explicitly made doe part of the staff group,
> and you've explicitly given the staff group write permission on that
> file.  seems like these regular perms are doing exactly what they're
> *supposed* to be doing, no?

No. doe might be a junior staff member, for instance.

Other instance I didn't say:

How do you make poe be able to write to the file without making him a
member of group staff or making the file world writable?

Rui

> unless i've totally misread what you were getting at.

You must've missed the point of ACLs. This is very important in terms of
security, and if I had this when I installed some systems a couple of
years ago, I wouldn't need toying around with intermediate users to
avoid direct +w permissions from some users to certain files that can't
be +w for some others.

Rui

-- 
+ No matter how much you do, you never do enough -- unknown
+ Whatever you do will be insignificant,
| but it is very important that you do it -- Gandhi
+ So let's do it...?

Please AVOID sending me WORD, EXCEL or POWERPOINT attachments.
See http://www.fsf.org/philosophy/no-word-attachments.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20040402/3ef56412/attachment.sig>

More information about the fedora-selinux-list mailing list