Re: [policy-sources-1.8-10] tmpwatch ACLs.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 14 Mar 2004 06:40, Aleksey Nogin <aleksey@xxxxxxxxx> wrote:
> audit(1079205620.091:0): avc:  denied  { getattr } for  pid=4269
> exe=/usr/sbin/tmpwatch path=/tmp/foo dev=hda2 ino=212920
> scontext=system_u:system_r:tmpreaper_t tcontext=system_u:object_r:file_t
> tclass=file
> audit(1079205620.271:0): avc:  denied  { unlink } for  pid=4269
> exe=/usr/sbin/tmpwatch name=before.new dev=hda2 ino=1357435
> scontext=system_u:system_r:tmpreaper_t tcontext=system_u:object_r:file_t
> tclass=file

If you have such files existing in /tmp then you have a problem.  Allowing an 
unlink of file_t files is probably OK, I'll add that to my tree.  But the 
case for file_t directories is more difficult.  We don't want to allow 
tmpreaper to go wildly removing trees of files labeled file_t.  The issue is 
the same as for home_type.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux