[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Naming convention flames



On Fri, 2004-04-02 at 07:40, murphy pope wrote:
> >SELinux has an independent user identity model, which provides for
> more rigorous identity based access control than standard Unix.  e.g.
> you can change Unix user id, but not SELinux user id.
> 
> And that's a feature is it?

Yes.  Bounded privilege escalation.

> 
> >The reason there are separate databases is that there is not a direct
> >mapping between Unix users and SELinux users.  
> 
> That's not a justification, it's a consequence of the fact that you
> are maintaining a separate database.  In other words, that's a bad
> thing, not a good thing.

No, it is a consequence of different security models.  And, as James
noted, you need to have a mapping of users to roles regardless of
whether you have an entry in policy/users for every entry in /etc/passwd
or not.

-- 
Stephen Smalley <sds epoch ncsc mil>
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]