[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Groups in the alternative user solution

To: Stephen Smalley <sds@xxxxxxxxxxxxx>
Subject: Re: Groups in the alternative user solution
From: Ivan Gyurdiev <gyurdiev@xxxxxxxxxx>
Date: Thu, 30 Jun 2005 09:27:02 -0400
Cc: casey@xxxxxxxxxxxxxxxx, kmacmillan@xxxxxxxxxx, selinux@xxxxxxxxxxxxx
In-reply-to: <1120059525.3553.137.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Organization: Red Hat Inc.
References: <1119980076.4806.23.camel@xxxxxxxxxxxxxxxxxxxxxxxxx> <1119987846.22225.222.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <1119988230.7417.6.camel@xxxxxxxxxxxxxxxxxxxxxxxxx> <1120055713.3553.105.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <1120057525.17121.23.camel@xxxxxxxxxxxxxxxxxxxxxxxxx> <1120059525.3553.137.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Reply-to: gyurdiev@xxxxxxxxxx
Sender: owner-selinux@xxxxxxxxxxxxx

> Seems unlikely to me, given the difference between DAC and MAC.
> But I'm open to other opinions on the subject.

What about Casey's suggestion in this thread:

> 
>     root:*:sysadm
>     fred:wheel:wand
>     *:wheel:staff
>     *:*:normal
> 
> Fred would be in "wand" if only in group wheel,
> in "normal" if in groups wheel and dev. Fun.

Not sure I understand... 
So if Fred is in more groups other than wheel, 
he maps to normal? What's the rationale for that?
Controlling information disclosure? Does that * 
take precedence to fred? What about conflicts? 
This seems complicated..

============

Should this idea be dropped? More opinions?




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.

Follow-Ups:
- Re: Groups in the alternative user solution
  - From: Stephen Smalley

References:
- Groups in the alternative user solution
  - From: Ivan Gyurdiev
- Re: Groups in the alternative user solution
  - From: Stephen Smalley
- Re: Groups in the alternative user solution
  - From: Ivan Gyurdiev
- Re: Groups in the alternative user solution
  - From: Stephen Smalley
- Re: Groups in the alternative user solution
  - From: Ivan Gyurdiev
- Re: Groups in the alternative user solution
  - From: Stephen Smalley

Prev by Date: Re: RFC: jail functionality
Next by Date: Re: Groups in the alternative user solution
Previous by thread: Re: Groups in the alternative user solution
Next by thread: Re: Groups in the alternative user solution
Index(es):
- Date
- Thread

This mailing list archive is a service of Copilot Consulting.