Bug 129584: restrictions on user_t
Tom London
selinux at gmail.com
Thu Sep 16 00:09:45 UTC 2004
I can see this going towards three 'standard' policies: targeted,
tight and strict
(where tight is strict with usercanread 'everywhere').
In general, I'm in favor of keeping strict as it is: well defined policies for
the mandatory access controls that override the discretionary ones.
But then again, I can understand circumstances where one may want
something 'in between' targeted and strict.
Not sure how to extend this to 'group readable', though.
tom
[My guess is that when the knowledge-/comfort-level of policy
hacking is greater, this will be less of an issue.]
On Wed, 15 Sep 2004 16:46:12 -0400, Ivan Gyurdiev <ivg2 at cornell.edu> wrote:
> Bug link: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=129584
>
> > Additional Comment #9 From Daniel Walsh (dwalsh at redhat.com) on
> > 2004-09-15 15:55
>
> > Yes there are a lot of files that user can not access. Mainly any
> > file that has a security context associated with it and doesn't have
> > the attribute usercanread.
>
> > Again I want to bring this conversation to the public list and come to
> > concensus. We can add usercanread to these files, but the question
> > than is should a user be able to read all files even if they are world
> > readable.
>
> I don't see why not. If you think the user should not be able
> to read those files, then why aren't their permissions flags
> set accordingly? If a file was intended to be readable only
> by a certain application or only by root then it could have had
> the proper user/group/rwx flags set - this restriction could
> have been imposed without SELinux. If it is marked
> user readable then it seems to me that any user should
> be able to read it (or at least that there are no
> security reasons to deny it). So why
> does SElinux impose restrictions on user_t
> that contradict this explicit setting?
>
> --
> Ivan Gyurdiev <ivg2 at cornell.edu>
> Cornell University
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
--
Tom London
More information about the fedora-selinux-list
mailing list