On lun, 2014-03-17 at 19:57 +0000, Schaufler, Casey wrote: > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] On > > Behalf Of José Bollo > > Sent: Monday, March 17, 2014 9:48 AM > > To: [email protected] > > Cc: 전유석; [email protected] > > Subject: Re: [Dev] [Multiuser] Security Policy Proposal for Multi-User > > Environment (snip) > > We disagree with "only default user is able to install & uninstall > > applications". > > We prefer to define roles, basically 3 roles: admin, normal, guest. The > > users > > with the role of "admin" can add/remove any applications (both user-level > > applications and system-level applications), (s)he can choose the > > visibility (all > > user, some user, non-guest ...). > > Normal users can install user-level applications for him(her) self only. > > Guest > > users can't install or remove application. > > > Let us be careful about using the term "roles". > We do not have a role based system. We do not > have the infrastructure to support real "roles".
I agree with you. What better term to use? Profil? Silhouette? Capability? Power? Outline? Figure? ... To support this kind of feature, the use of DAC groups may be the infrastructure. > > > page 3 > > ====== > > > > Home directory is created when a new user is added, its Smack access label > > is > > set to "User" and its smack transmute flag to TRUE. > > There should never be a transmute flag on directories with > the domain base label. The User label is for domain private > data. If you are sharing this with other domains you need to > use a different (e.g. User::Shared, User::Applications) label. You're right, in absolute, that would be better. And in that case, is the label "User::Public" okay? I prefer it to "Shared" because Shared is an action and Public is a state. And here there no action from any user but the state of the home directory is public by default. But a problem remains with that solution: how a does a user change the shared state of a file? Normal users can't use "chsmack". Then the solution to put any file to "User" with transmute is surely working and the DAC will complete it. Do I miss something? Best regards José _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
