Is it possible to create a new selinux user and assign a certain login to it so that afterwards I can add allow rules specifically for that user?

Say, I have all users in selinux guest_u, but I would like ONLY UNIX user "foobar" to be able to have access to a certain type/domain.

So far, I created the user and assigned the login:
Any ideas on how to create a rule specially for testing2_u?

#only_user_testing2_u...
allow blabla_t blabla2_t:file execute;
#only_user_testing2_u...

Dan Walsh added that kind of sandboxing to Fedora (whose rules are evolving way faster than RHEL/Centos) in the form of the xguest (or something similar-sounding), if you check out his web log at http://danwalsh.livejournal.com/ you'll probably find it. Let us know if that isn't what you're looking for and BTW please fill in your distro nfo in your http://www.linuxquestions.org/questions/usercp.php .

I emailed Dan Walsh because I couldn't find/understand guest.te rules. My problem is very simple, I just need to know how to add per-user allow rules in selinux.

Thanks for replying!

They should be in Fedora since F10 IIRC, note there's also a selinux users mailing list that probably has search-enabled archives, but let us know what he says, OK?

I found a way, theoretically, to achieve what I'm searching for. It seems that I only have to create a role for each user and optionally a domain so in the end I have something like this:

Then, I could either allow user1_r to do everything user_r does, or actually allowing exactly what user1_u will do in the machine.

The problem is, fedora's 10/11 guest.te/guest.if isn't compatible with centos5 selinux development installation and I don't trust fedora for a production machine (not that unlikely yum upgrade will wreak havoc).

Anyone else, any ideas?