Re: lnk_file read permission

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Jul 31, 2020 at 9:59 AM Gionatan Danti <g.danti@xxxxxxxxxx> wrote:
> Il 2020-07-30 10:11 Ondrej Mosnacek ha scritto:
> > So for Fedora it might indeed make sense to add some
> > "domain_can_read_symlinks" boolean for people who customize things
> > with symlinks a lot... But there might be other reasons for being
> > careful with symlinks that you or I haven't thought of :) I'd suggest
> > asking on the upstream mailing list (selinux@xxxxxxxxxxxxxxx) on
> > if/why it's a good idea to follow the principle of least privilege
> > also for symlinks. You are likely to get a more educated answer there.
>
> The boolean "can_read_symlinks" is, indeed, a very good idea. I'll ask
> on upstream mailing list as you suggested.

Just to clarify: The upstream ML is a place for general discussions
about SELinux itself. Just in case you intend to mention the boolean
there - for that you should rather file a BZ against selinux-policy on
Fedora. I recommended the list specifically for the general question
about symlinks.

>
> > I don't understand what is meant here... Do you have a link to the
> > bugzilla in question?
>
> Sorry, it was not on bugzilla, but on this same list:
> https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx/message/J7ZRMNQ5MJNN3NH2EOMZIBNGRXKQ554N/

I think Stephen meant something along the lines that our policy macros
should account for the possibility of system directories to be
symlinked and generate the appropriate allow rules alongside the dir
ones. Which would be a better solution, but likely also a lot of work
to fix everywhere properly :/

-- 
Ondrej Mosnacek
Software Engineer, Platform Security - SELinux kernel
Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux