/sbin/restorecon and hard links
Stephen Smalley
sds at tycho.nsa.gov
Wed Feb 15 14:01:32 UTC 2006
On Wed, 2006-02-15 at 14:19 +0100, Erik Sjölund wrote:
> [root at e /]# cat /etc/redhat-release
> Fedora Core release 4 (Stentz)
> [root at e /]# adduser erik
> [root at e /]# su - erik
> [erik at e ~]$ ln /etc/passwd .
> [erik at e ~]$ exit
> [root at e /]# ls -lZ /etc/passwd
> -rw-r--r-- root root system_u:object_r:etc_t /etc/passwd
> [root at e /]# restorecon -R /home
> [root at e /]# ls -lZ /etc/passwd
> -rw-r--r-- root root user_u:object_r:user_home_t /etc/passwd
>
> Should it be like that?
>
> /sbin/restorecon -R /home
>
> might lead to strange security contexts for files belonging to root.
Yes, running restorecon on /home by root considered harmful,
particularly under targeted policy. Under strict policy, a user can't
create hard links to system files (controlled by the 'link' permission),
which helps avoid the problem, and restorecon and setfiles aren't
allowed to follow untrustworthy symlinks by the policy. setfiles also
contains code to check for multiple hard links with conflicting matches,
so if you run setfiles on /, it should complain about the discrepancy,
but restorecon doesn't do that and even if it did it naturally can't
tell that when it is just run on /home.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list