On 05/17/2009 04:26 PM, Göran Uddeborg wrote:
Dominick Grift writes:
Most stuff in /var is system stuff and not for
users. So if a user has nothing to do there then no need to give them
access either.
Stuff like /var/spool/mail/<user> is however accessible.
Most things in /var is ACCESSIBLE. The same user that could not link
the file had no problems copying it.
I was under the impression that user_u was not meant to be overly
restricted. It should not be able to do su/sudo and other kinds of
system work. But apart from that I thought it was meant to be able to
do most things regular users on non-SELinux systems can do.
That was the impression I got from
http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html
among other places. But maybe I have misunderstood things.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Yes user_u is not that restrictive, but the idea is a managed user. I
would tend to think of user who does few commands with the shell. But
please attach the avc's you are seeing? The directory in question might
need a different label.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
