On Wed, 2004-10-27 at 18:29 -0400, Colin Walters wrote:
> That's true, I guess it is useful if you still want them to be able to
> share files etc (which full_user_role currently prevents without
> additional work).
Although, the additional work here is actually quite small (if indeed
you do want these users to be able to access each other's files).
full_user_role(bob)
full_user_role(jane)
define(`user_readonly_share',`
allow $1_t $2_home_dir_t:dir { getattr search };
r_dir_file($1_t, $2_home_t)
allow $2_t $1_home_dir_t:dir { getattr search };
r_dir_file($2_t, $1_home_t)
')
user_readonly_share(bob, jane)
This is all much more flexible than the approach of not allowing
symlinks you don't own. For example, it would certainly be annoying not
to be able to read users' symlinks in /tmp to debug problems when I'm
logged in as the system administrator, and have to chown them, then
chown them back...).
This archive was generated by hypermail 2.1.3 : Wed Oct 27 2004 - 16:02:23 PDT