Re: Groups in the alternative user solution

[Casey Schaufler <casey@xxxxxxxxxxxxxxxx>]

--- Ivan Gyurdiev <gyurdiev@xxxxxxxxxx> wrote:

> 
> > > I didn't understand the reasoning there either,
> > > particularly as we
> > > aren't dealing with the effective GID but the
> entire
> > > authorized group
> > > list for the user since we are only doing this
> once
> > > at login/su time.
> > 
> > I hope this has clarified the group vs.
> > group list confusion.
> 
> Yes, I understand how it would work.
> What's not clear is why you want to match on group
> list as opposed to matching on group membership
> alone.

The question with multiple concurrent
groups has always been "which group?".
In the example of Fred you have to
ask if, from a security perspective,
Fred,wheel is the same as Fred,lever
or Fred,wheel,lever. Strictly speaking
the answer is no. Now, is the difference
significant in the SELinux context?
In Unix MLS systems (except for
SystemV/MLS) clearances are
associated only with users and the
group is completely ignored. 
But the Unix MLS systems make
no attempt at the wholistic
user/application/data/transform
worldview of domain enforcement.

> How is that helpful to the sysadmin - seems awfully 
> fragile. What happens to this file if I add the user
> to another group?

That's one good reason for the wildcards.

I don't know that the scheme I
suggests solves all or even any
of the problems. Use it or not.



Casey Schaufler
casey@xxxxxxxxxxxxxxxx

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.