Re: Procmail can't delete a tmp file but has free reign over regular files???

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/23/2013 02:55 PM, Robert Nichols wrote:
> A process running as procmail_t can do pretty much anything to files of 
> type user_home_t, but is restricted from the user_tmp_t file in /tmp that I
> want to use as a semaphore.  Were is the logic in that?  It's like granting
> free access to the vault, but locking up the leave-a-penny-take-a-penny
> jar.
> 
> From selinux-policy-targeted-3.7.19-195.el6_4.3.noarch:
> 
> allow procmail_t user_home_t : file { ioctl read write create getattr
> setattr lock append unlink link rename open } ;
> 
> allow application_domain_type user_tmp_t : file { getattr append } ;
> 
It is more about whether or not someone has opened a but on it.  No one has
reported problems with procmail_t ability to create content labeled
user_tmp_t, but if they did, considering what we allow now, it would be
granted access.

I guess a tool that looked at what is granted to user_home_t and not
user_tmp_t would help find issues like this.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlF23aMACgkQrlYvE4MpobOljgCeIKfwTBrBvuaVbAza5RWtkS7X
1w4AoNVZkh05YenMs2B925xDfluD3Nup
=ang9
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux