Why can not user_t link var_lib_t files?
Göran Uddeborg
goeran at uddeborg.se
Mon May 18 18:19:45 UTC 2009
Stephen Smalley writes:
> In a least privilege scheme, the question is not why should it be denied
> but rather what legitimate purpose does user_t have in creating hard
> links to random files under /var/lib.
That is true, but as I said I didn't think user_t was designed
following a least privilege scheme. I thought it more was allowed to
do most random things, with a few exceptions.
(According to the least privilege scheme, the same user should
probably not be allowed to READ random /var/lib files either. Some
files and directories, like /var/lib/texmf, should be readable, but
they have their own type.)
> (and if they are in fact
> served via NFS, then I don't see why they would be in var_lib_t unless
> you mounted the NFS filesystem with
> context=system_u:object_r:var_lib_t).
Ah, no. These commands were executed on the server where the files
are stored. It is the digital-TV box that mounts this directory with
NFS. But we are not trying to do the editing on that box.
More information about the fedora-selinux-list
mailing list