[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: Bug 129584: restrictions on user_t
- From: Tom London <selinux gmail com>
- To: ivg2 cornell edu, "Fedora SELinux support list for users & developers." <fedora-selinux-list redhat com>
- Cc:
- Subject: Re: Bug 129584: restrictions on user_t
- Date: Wed, 15 Sep 2004 17:09:45 -0700
I can see this going towards three 'standard' policies: targeted,
tight and strict
(where tight is strict with usercanread 'everywhere').
In general, I'm in favor of keeping strict as it is: well defined policies for
the mandatory access controls that override the discretionary ones.
But then again, I can understand circumstances where one may want
something 'in between' targeted and strict.
Not sure how to extend this to 'group readable', though.
tom
[My guess is that when the knowledge-/comfort-level of policy
hacking is greater, this will be less of an issue.]
On Wed, 15 Sep 2004 16:46:12 -0400, Ivan Gyurdiev <ivg2 cornell edu> wrote:
> Bug link: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=129584
>
> > Additional Comment #9 From Daniel Walsh (dwalsh redhat com) on
> > 2004-09-15 15:55
>
> > Yes there are a lot of files that user can not access. Mainly any
> > file that has a security context associated with it and doesn't have
> > the attribute usercanread.
>
> > Again I want to bring this conversation to the public list and come to
> > concensus. We can add usercanread to these files, but the question
> > than is should a user be able to read all files even if they are world
> > readable.
>
> I don't see why not. If you think the user should not be able
> to read those files, then why aren't their permissions flags
> set accordingly? If a file was intended to be readable only
> by a certain application or only by root then it could have had
> the proper user/group/rwx flags set - this restriction could
> have been imposed without SELinux. If it is marked
> user readable then it seems to me that any user should
> be able to read it (or at least that there are no
> security reasons to deny it). So why
> does SElinux impose restrictions on user_t
> that contradict this explicit setting?
>
> --
> Ivan Gyurdiev <ivg2 cornell edu>
> Cornell University
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list redhat com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
--
Tom London
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]