fedora-selinux May 2009 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: Why can not user_t link var_lib_t files?

Re: Why can not user_t link var_lib_t files?

From: Daniel J Walsh <dwalsh_at_nospam>
Date: Mon May 18 2009 - 12:19:35 GMT
To: Gran Uddeborg <goeran@uddeborg.se>


On 05/17/2009 04:26 PM, Gran Uddeborg wrote:
> Dominick Grift writes:
>> Most stuff in /var is system stuff and not for
>> users. So if a user has nothing to do there then no need to give them
>> access either.
>>
>> Stuff like /var/spool/mail/<user> is however accessible.
>
> Most things in /var is ACCESSIBLE. The same user that could not link
> the file had no problems copying it.
>
> I was under the impression that user_u was not meant to be overly
> restricted. It should not be able to do su/sudo and other kinds of
> system work. But apart from that I thought it was meant to be able to
> do most things regular users on non-SELinux systems can do.
>
> That was the impression I got from
> http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html
> among other places. But maybe I have misunderstood things.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Yes user_u is not that restrictive, but the idea is a managed user. I would tend to think of user who does few commands with the shell. But please attach the avc's you are seeing? The directory in question might need a different label. -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list