[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Naming convention flames

On Fri, 2004-04-02 at 07:40, murphy pope wrote:
> >SELinux has an independent user identity model, which provides for
> more rigorous identity based access control than standard Unix.  e.g.
> you can change Unix user id, but not SELinux user id.
> And that's a feature is it?

Yes.  Bounded privilege escalation.

> >The reason there are separate databases is that there is not a direct
> >mapping between Unix users and SELinux users.  
> That's not a justification, it's a consequence of the fact that you
> are maintaining a separate database.  In other words, that's a bad
> thing, not a good thing.

No, it is a consequence of different security models.  And, as James
noted, you need to have a mapping of users to roles regardless of
whether you have an entry in policy/users for every entry in /etc/passwd
or not.

Stephen Smalley <sds epoch ncsc mil>
National Security Agency

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]