On Wed, 27 Oct 2004 13:50:23 EDT, Stephen Smalley said: > That is actually a common aspect of SELinux policies: don't let trusted > domains follow untrustworthy symlinks, just based on security types > rather than uids. The point is that in this case, *no* domains are trusted - we don't want end users compiling their Fortran programs to have stuff hijacked out from under them when they build in /tmp. Similarly, we care about *other* directories as well - /tmp and /var/tmp are just *two* places things live, there's other world-writable directories as well. As another example - how would you implement "don't remove other user's files in a +t directory" in SELinux? Note that nobody seems to think that *that* semantic isn't sane and desireable - but it's equally hard to state in SELinux, for the same reasons.
This archive was generated by hypermail 2.1.3 : Wed Oct 27 2004 - 11:13:15 PDT