From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.sws.net.au (smtp.sws.net.au [144.76.186.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BE67039F172 for ; Wed, 13 May 2026 11:04:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=144.76.186.9 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778670260; cv=none; b=HVNN5xLky7+wSOADSL1ufG2qfYx6dtJoHzSnLKpd1fx1SKEOpu/kug/aDDA+wusTCbhEfKFMTMzwp6/f5MlO/7lMrGCmjqULuKlEMMp6BWdWE9pcMjdaFUnvpoGxiaS/ScQaV/psj8iZBx5zeUbp2zMSpve1ZA0hxfq7KXF/634= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778670260; c=relaxed/simple; bh=8tfBUdIf9yaop3xSCbWwel6eQZvh6ZnoW48Ln20zFDI=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; b=DsW9LfruxDy9T4Rk93Pm0SIS3guPHEQYgoSWuWmGQo4eRt5+T4nLcZx2ahBUCZihBRZ7zSLZa/sU17lIQ4hdirEFRlUiFMBjDREURZQL1eWHxWV6xNcdwLpZLYMp1VosNGYZ3WW+6Zi3Gq/GJiuK7C1ximjBP87FTY3eUD9pkLA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=coker.com.au; spf=pass smtp.mailfrom=coker.com.au; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b=EBmN9+GT; arc=none smtp.client-ip=144.76.186.9 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=coker.com.au Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=coker.com.au Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="EBmN9+GT" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1778670250; bh=gi7+f8DXJU9k3s6HDPURrfsR+7hz50iwIKiDJkKSaXw=; l=608; h=From:To:Subject:Date:From; b=EBmN9+GTM+hhMsEDe0SLIgNypVQESxiVr3gaLJk74XbOEJTq6Ojh8q/WPIrOTb5oG X8zv0Ksm3HCzPjxJajIUIQKyHJtpfVf0aZpa2EGcLv/C5fT13W2m1HljwkMwxrMsrh h7G0C3nBEwRAlpFPU9hpCB2w5qEVrScEMhQvYpr0= Received: from liv.coker.com.au (unknown [IPv6:2001:4479:4300:6400:8e17:93c7:3fa2:324e]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) (Authenticated sender: russell@coker.com.au) by smtp.sws.net.au (Postfix) with ESMTPSA id 143DC11171 for ; Wed, 13 May 2026 21:04:09 +1000 (AEST) From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: staff_r Date: Wed, 13 May 2026 21:04:03 +1000 Message-ID: <3505047.e9J7NaK4W3@dojacat> Precedence: bulk X-Mailing-List: selinux-refpolicy@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="utf-8" Is there any point to staff_r? Currently it is a long way from usable for GUI sessions. For terminal sessions the isolation between staff_r and user_r is matched by the isolation between user identities. The role transition rules generally aren't used for anything and the roles permitted to an identity determine what role transitions can be used. The vast majority of use of the reference policy is for "targeted" configurations without even using user_r. Is there any reason for keeping staff_r? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/