You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There are use cases where neither the SELinux user nor role are used at all (e.g. Android, which defines a single user and a single role), and even in Linux distributions, you really only need one or the other, not both. The SELinux user was originally envisioned to be the actual Linux username, but that was supplanted by the seusers mapping, making it more akin to a role. In any event, it should be configurable in policy whether we include the user and/or role and if not, then the relevant policy components and security context fields should just go away entirely. We're presently wasting space in security contexts for them, mostly always for files (unless using RBACSEP) and even to some degree for processes.
The text was updated successfully, but these errors were encountered:
There are use cases where neither the SELinux user nor role are used at all (e.g. Android, which defines a single user and a single role), and even in Linux distributions, you really only need one or the other, not both. The SELinux user was originally envisioned to be the actual Linux username, but that was supplanted by the seusers mapping, making it more akin to a role. In any event, it should be configurable in policy whether we include the user and/or role and if not, then the relevant policy components and security context fields should just go away entirely. We're presently wasting space in security contexts for them, mostly always for files (unless using RBACSEP) and even to some degree for processes.
The text was updated successfully, but these errors were encountered: