We are actually removing some of these transitions from unconfined_t in
RHEL7 and latest
Fedoras.
setfiles_t probably should be allowed to read all files, since it can
change the label on all files,
no much security bought by this.
On 01/05/2015 08:45 PM, Robert Nichols wrote:
> I find it odd that a setfiles_t process is allowed to read user_home_t
> files but not admin_home_t. So, to use "semanage -i ..." I need to
> store the file in a less protected location?
> (Or use "cat xxx | semanage -i", of course.)
>
> type=AVC msg=audit(1420507367.059:518): avc: denied { read } for
> pid=13112 comm="setfiles" path="/root/SElinux/contexts" dev=dm-0
> ino=560291
> scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
>
> selinux-policy-3.7.19-260.el6_6.1.noarch
> selinux-policy-targeted-3.7.19-260.el6_6.1.noarch
>
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
