Bug 129584: restrictions on user_t

Tom London selinux at gmail.com
Thu Sep 16 00:09:45 UTC 2004 

I can see this going towards three 'standard' policies: targeted,
tight and strict
(where tight is strict with usercanread 'everywhere').

In general, I'm in favor of keeping strict as it is: well defined policies for
the mandatory access controls that override the discretionary ones.

But then again, I can understand circumstances where one may want
something 'in between' targeted and strict.

Not sure how to extend this to 'group readable', though.

tom

[My guess is that when the knowledge-/comfort-level of policy
hacking is greater, this will be less of an issue.]

On Wed, 15 Sep 2004 16:46:12 -0400, Ivan Gyurdiev <ivg2 at cornell.edu> wrote:
> Bug link: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=129584
> 
> > Additional Comment #9 From Daniel Walsh (dwalsh at redhat.com)  on
> > 2004-09-15 15:55
> 
> > Yes there are a lot of files that user can not access.  Mainly any
> > file that has a security context associated with it and doesn't have
> > the attribute usercanread.
> 
> > Again I want to bring this conversation to the public list and come to
> > concensus.  We can add usercanread to these files, but the question
> > than is should a user be able to read all files even if they are world
> > readable.
> 
> I don't see why not. If you think the user should not be able
> to read those files, then why aren't their permissions flags
> set accordingly? If a file was intended to be readable only
> by a certain application or only by root then it could have had
> the proper user/group/rwx flags set - this restriction could
> have been imposed without SELinux. If it is marked
> user readable then it seems to me that any user should
> be able to read it (or at least that there are no
> security reasons to deny it). So why
> does SElinux impose restrictions on user_t
> that contradict this explicit setting?
> 
> --
> Ivan Gyurdiev <ivg2 at cornell.edu>
> Cornell University
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 



-- 
Tom London

More information about the fedora-selinux-list mailing list