On 04/23/2013 02:14 PM, Daniel J Walsh wrote:
On 04/23/2013 02:55 PM, Robert Nichols wrote:
A process running as procmail_t can do pretty much anything to files of
type user_home_t, but is restricted from the user_tmp_t file in /tmp that I
want to use as a semaphore. Were is the logic in that? It's like granting
free access to the vault, but locking up the leave-a-penny-take-a-penny
jar.
From selinux-policy-targeted-3.7.19-195.el6_4.3.noarch:
allow procmail_t user_home_t : file { ioctl read write create getattr
setattr lock append unlink link rename open } ;
allow application_domain_type user_tmp_t : file { getattr append } ;
It is more about whether or not someone has opened a but on it. No one has
reported problems with procmail_t ability to create content labeled
user_tmp_t, but if they did, considering what we allow now, it would be
granted access.
Would you like to see a bz opened on that or not? I ultimately decided to
do the task in a different way, so it really doesn't matter to me now.
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
