On Fri, Jul 31, 2020 at 9:59 AM Gionatan Danti <g.danti@xxxxxxxxxx> wrote: > Il 2020-07-30 10:11 Ondrej Mosnacek ha scritto: > > So for Fedora it might indeed make sense to add some > > "domain_can_read_symlinks" boolean for people who customize things > > with symlinks a lot... But there might be other reasons for being > > careful with symlinks that you or I haven't thought of :) I'd suggest > > asking on the upstream mailing list (selinux@xxxxxxxxxxxxxxx) on > > if/why it's a good idea to follow the principle of least privilege > > also for symlinks. You are likely to get a more educated answer there. > > The boolean "can_read_symlinks" is, indeed, a very good idea. I'll ask > on upstream mailing list as you suggested. Just to clarify: The upstream ML is a place for general discussions about SELinux itself. Just in case you intend to mention the boolean there - for that you should rather file a BZ against selinux-policy on Fedora. I recommended the list specifically for the general question about symlinks. > > > I don't understand what is meant here... Do you have a link to the > > bugzilla in question? > > Sorry, it was not on bugzilla, but on this same list: > https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx/message/J7ZRMNQ5MJNN3NH2EOMZIBNGRXKQ554N/ I think Stephen meant something along the lines that our policy macros should account for the possibility of system directories to be symlinked and generate the appropriate allow rules alongside the dir ones. Which would be a better solution, but likely also a lot of work to fix everywhere properly :/ -- Ondrej Mosnacek Software Engineer, Platform Security - SELinux kernel Red Hat, Inc. _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx