Il 2020-07-31 18:25 Christian Göttsche ha scritto:
An alternative would be, since these symlinks are trusted and permanent, to label them as their parent directory (e.g. var_lib_t (use the '-l' file type specifier)) and allow the applications to read these lnk types. This also prevents e.g. mysqld_t to alter the symlink /var/lib/mysqld (since it probably has write permission to mysql_db_t:lnk_file but not var_lib_t:lnk_file).
Yeah, in some cases I uses the approach above as it seems that many domain have lnk_file read permission to var_lib_t. I wonder if a more generic solution exists.
Thanks. -- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti@xxxxxxxxxx - info@xxxxxxxxxx GPG public key ID: FF5F32A8
