On 09/29/2015 10:18 AM, Mario Rosic wrote: > Hello, > > the guest_t type is allowed to browse directories labelled with > admin_home_t but guest_t is not allowed to interact with any > non-directory files labelled with admin_home_t. > > That looks inconsistent to me. Why should guest_t be allowed to enter > directories labelled with admin_home_t but not interact with any other > files? Is there a reasoning behind that (i.e. am I missing something) or > should I file a bug report? > > In my opinion guest_t shouldn't be able to browse folders labelled with > admin_home_t. > > Regards, > Mario > > PS > That is on a RHEL7 machine. > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > > In Fedora/RHEL policy we allow all domains to search through all directories. The problem we have is that we do not know whether labels exist under those directory that guest_t needs access to. If an admin created /root/guest_data, then guest_t should be allowed to get to his data. He should not be able to get any other data about content in the /root directory. So ls -l /root should fail. But cd /root/guest_data should succeed. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
