On 05/24/14 08:40, dE wrote: > On 05/24/14 01:02, toản cù wrote: >> Hi all! >> >> I just researching policy in selinux and Samba , SELinux has >> policy module separate for samba. I only know the label samba_share_t >> used to share data when labeled in SELinux enforcing mode. >> >> I want to use SELinux further intervention on the issue >> of decentralization for each user to access data on the samba. How >> the same file (*. docx, *. txt), user1 can read, write but user2 is >> not. >> >> And one more question: in a group have different users the same >> access to the samba. those users have some same rights, and some the >> right different. example the rights to read,write on a file is >> different. How to make a difference the rights between users in the >> same group >> >> Look forward your help! >> >> Thanks! >> >> >> -- >> Mr.Toan-Cu Xuan >> >> School of Electronics and Telecommunications >> >> Hanoi University of Science and Technology >> >> 1 Dai Co Viet, Ha noi, Viet nam. >> >> Phone: 01656228762 >> >> Email:xuantoanbkfet@gmail.com >> >> >> >> _______________________________________________ >> Selinux mailing list >> Selinux@tycho.nsa.gov >> To unsubscribe, send email toSelinux-leave@tycho.nsa.gov. >> To get help, send an email containing "help" toSelinux-request@tycho.nsa.gov. > > I don't think smbd spawns a new process when a new user logs in > (that's why we have 'force user'), so there's no way for SELinux to > identify the login user of the SMB service. > > Otherwise what could've been done is set the umask to 077 and inherit > owner, inherit permissions to yes. So DAC whould've been good enough > for the purpose. > > I dont remember how Actually it does. Set 'username map' and you get what you want with DAC.