Hello everyone, We have been thinking on such problem: read access to a file may be restricted with SELinux MCS/MLS, especially MLS/MCS. If a file with restricted access is inside a directory without restricted access, its name is readable. Name of the file may be used to store some "secret" information. Some system directories, e.g. /var/tmp, are writable for multiple users, and they may use it to exchange secret information, bypassing restrictions. Is there a way to restrict access to names of such files? What may theoretically be done: 1. Hide such files from directory listing. A bad idea, because most pieces of software (and people) are not ready to deal with situations when a file does not exist but a file with such name cannot be created because it already exists. 2. Change name of the file to "????". Even worse. 3. Do not show the name of the file at all. I do not know how it should be done, something like showing that an "inode" exists. 4. Try to just restrict write access to directories without proper MLS labels: separate /tmp for arch user, maybe separate /var/tmp for each user, chmod -x (maybe via ACL) for /run etc. Can and should it be done with SELinux? What about other LSM modules? Is there a more generic approach to hide names of unreadable files?
