fedora-selinux May 2009 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: Why can not user_t link var_lib_t files?

Re: Why can not user_t link var_lib_t files?

From: Stephen Smalley <sds_at_nospam>
Date: Mon May 18 2009 - 12:48:08 GMT
To: Gran Uddeborg <goeran@uddeborg.se>


On Sun, 2009-05-17 at 18:44 +0200, Göran Uddeborg wrote:
> Is there some reason user_t is denied to link a file with type
> var_lib_t (among others)? Or did it just happen that way? I don't
> see any security advantage.

In a least privilege scheme, the question is not why should it be denied but rather what legitimate purpose does user_t have in creating hard links to random files under /var/lib. Generally none; in your case, you ought to have a distinct type for those files (and if they are in fact served via NFS, then I don't see why they would be in var_lib_t unless you mounted the NFS filesystem with
context=system_u:object_r:var_lib_t).

user_t is supposed to be an unprivileged user account, and creating hard links to files to which you have no create/write permissions is usually a sign of something wrong (hence a wide variety of Linux security patches prohibit link'ing to files you don't own).

> (It doesn't matter for the question, but I suspect somebody will ask
> why I want this. The particular use case where we were hit by this is
> non-standard. We have a digital TV receiver box that saves recordings
> via NFS under /var/lib/TV on a server. A user wanted to edit out the
> commercials from one recording using the m2vmp2cut tool. The tool is
> most easy to use when the original recording is in the working
> directory. She could copy the file from /var/lib/TV/... to her home
> directory, but to save a lot of time and space she tried to make a
> (hard) link instead. SELinux denied her that. Obviously
> non-standard, and the regular policy doesn't know anything about these
> files. And I know various ways to work around it, including adding a
> module. But I was a bit surprised over the denial. I would have
> expected user_t to be allowed to do this. Thus my question, is this
> by design or by mistake?)
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list