From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzdrum.ncsc.mil (zombie.ncsc.mil [144.51.88.131]) by tycho.ncsc.mil (8.12.8/8.12.8) with ESMTP id iBDDuvIi003525 for ; Mon, 13 Dec 2004 08:56:58 -0500 (EST) Message-ID: <41BD9FA9.9030402@redhat.com> Date: Mon, 13 Dec 2004 08:56:57 -0500 From: Daniel J Walsh MIME-Version: 1.0 To: Russell Coker CC: Valdis.Kletnieks@vt.edu, Stephen Smalley , SE Linux list , Jim Carter , Colin Walters , Nalin Dahyabhai Subject: Re: Single home directory type for all roles. References: <20041207000805.GH3678@jmh.mhn.de> <1102534349.30962.25.camel@moss-lions.epoch.ncsc.mil> <41B8826D.30105@redhat.com> <1102612828.32175.159.camel@moss-spartans.epoch.ncsc.mil> <1102614445.4509.25.camel@aeon> <1102614805.32175.176.camel@moss-spartans.epoch.ncsc.mil> <1102615951.4509.50.camel@aeon> <200412092040.iB9KelRx032136@turing-police.cc.vt.edu> <1102647815.4509.123.camel@aeon> <41B9AE1D.1020305@redhat.com> <1102944341.32053.26.camel@aeon> In-Reply-To: <1102944341.32053.26.camel@aeon> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov Russell Coker wrote: >On Fri, 2004-12-10 at 09:09 -0500, Daniel J Walsh wrote: > > >>Ok I succumb. I will not fight the battle any longer, but I believe >>that average people will not user roles because it >>is too difficult. I will not build tools that will automatically >>relabel the file system since these will be prone >>to errors. People will run users in the default role of the system, >>whether we default it to user_r with user_canbe_sysadm, >>or default to staff. >> >> > >I think that the way to go is to have staff_t be the default login >domain, have two roles for it staff_r and staff_restricted_r where the >latter can't change to sysadm_r and has other limitations. I'll write >the policy for staff_restricted_r. > > > >>I believe that the only people who will use roles as they are currently >>constituted are security people. >> >> > >Currently the only people who use strict policy are "security people". > > By security people, I meant people who understand how to write policy. My opinion, is the end goal of strict policy should be used by security admins who don't need to know how to write policy. selinux-policy-strict-sources should end up being like kernel-sources. Only to be used by developers and people interested in how the system works. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.