[policy-sources-1.8-10] tmpwatch ACLs.
Russell Coker
russell at coker.com.au
Sun Mar 14 04:47:23 UTC 2004
On Sun, 14 Mar 2004 06:40, Aleksey Nogin <aleksey at nogin.org> wrote:
> audit(1079205620.091:0): avc: denied { getattr } for pid=4269
> exe=/usr/sbin/tmpwatch path=/tmp/foo dev=hda2 ino=212920
> scontext=system_u:system_r:tmpreaper_t tcontext=system_u:object_r:file_t
> tclass=file
> audit(1079205620.271:0): avc: denied { unlink } for pid=4269
> exe=/usr/sbin/tmpwatch name=before.new dev=hda2 ino=1357435
> scontext=system_u:system_r:tmpreaper_t tcontext=system_u:object_r:file_t
> tclass=file
If you have such files existing in /tmp then you have a problem. Allowing an
unlink of file_t files is probably OK, I'll add that to my tree. But the
case for file_t directories is more difficult. We don't want to allow
tmpreaper to go wildly removing trees of files labeled file_t. The issue is
the same as for home_type.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-selinux-list
mailing list