Why can not user_t link var_lib_t files?
Stephen Smalley
sds at tycho.nsa.gov
Mon May 18 12:48:08 UTC 2009
On Sun, 2009-05-17 at 18:44 +0200, Göran Uddeborg wrote:
> Is there some reason user_t is denied to link a file with type
> var_lib_t (among others)? Or did it just happen that way? I don't
> see any security advantage.
In a least privilege scheme, the question is not why should it be denied
but rather what legitimate purpose does user_t have in creating hard
links to random files under /var/lib. Generally none; in your case, you
ought to have a distinct type for those files (and if they are in fact
served via NFS, then I don't see why they would be in var_lib_t unless
you mounted the NFS filesystem with
context=system_u:object_r:var_lib_t).
user_t is supposed to be an unprivileged user account, and creating hard
links to files to which you have no create/write permissions is usually
a sign of something wrong (hence a wide variety of Linux security
patches prohibit link'ing to files you don't own).
> (It doesn't matter for the question, but I suspect somebody will ask
> why I want this. The particular use case where we were hit by this is
> non-standard. We have a digital TV receiver box that saves recordings
> via NFS under /var/lib/TV on a server. A user wanted to edit out the
> commercials from one recording using the m2vmp2cut tool. The tool is
> most easy to use when the original recording is in the working
> directory. She could copy the file from /var/lib/TV/... to her home
> directory, but to save a lot of time and space she tried to make a
> (hard) link instead. SELinux denied her that. Obviously
> non-standard, and the regular policy doesn't know anything about these
> files. And I know various ways to work around it, including adding a
> module. But I was a bit surprised over the denial. I would have
> expected user_t to be allowed to do this. Thus my question, is this
> by design or by mistake?)
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list