On Thu, 2004-10-28 at 00:04 +0200, Thomas Bleher wrote: > But it would still be nice to stop attackers from the same domain. Eg if > I have a rogue user in user_t, SELinux will prevent him from messing > with other domains. But what if he wants to interfere with another user > (also in user_t) You can create individual roles and types for each user using full_user_role. This provides very strong separation between the two users. > So I think it makes sense to have stronger DAC protections in addition > to MAC, even if they cannot guarantee complete protection. That's true, I guess it is useful if you still want them to be able to share files etc (which full_user_role currently prevents without additional work).
This archive was generated by hypermail 2.1.3 : Wed Oct 27 2004 - 15:29:20 PDT