[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Why can not user_t link var_lib_t files?

From: Dominick Grift <domg472 gmail com>
To: Göran Uddeborg <goeran uddeborg se>
Cc: fedora-selinux-list redhat com
Subject: Re: Why can not user_t link var_lib_t files?
Date: Sun, 17 May 2009 19:25:08 +0200

On Sun, 2009-05-17 at 18:44 +0200, Göran Uddeborg wrote:
> Is there some reason user_t is denied to link a file with type
> var_lib_t (among others)?  Or did it just happen that way?  I don't
> see any security advantage.

> Thus my question, is this by design or by mistake?)

I think the policy author could probably give the right answer but i
think this is by design. Most stuff in /var is system stuff and not for
users. So if a user has nothing to do there then no need to give them
access either.

Stuff like /var/spool/mail/<user> is  however accessible.

Like you suggested it is easy to create a extension or a new role/
custom user domain for this functionality.

If you want your users to be unrestricted then map the user to
unconfined_u

> --
> fedora-selinux-list mailing list
> fedora-selinux-list redhat com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Follow-Ups:
- Re: Why can not user_t link var_lib_t files?
  - From: Göran Uddeborg

References:
- Why can not user_t link var_lib_t files?
  - From: Göran Uddeborg

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]