* Valdis.Kletnieks@private (Valdis.Kletnieks@private) wrote: > On Wed, 27 Oct 2004 13:50:23 EDT, Stephen Smalley said: > > > That is actually a common aspect of SELinux policies: don't let trusted > > domains follow untrustworthy symlinks, just based on security types > > rather than uids. > > The point is that in this case, *no* domains are trusted - we don't want > end users compiling their Fortran programs to have stuff hijacked out from > under them when they build in /tmp. Similarly, we care about *other* directories > as well - /tmp and /var/tmp are just *two* places things live, there's other > world-writable directories as well. The symlink was created by someone in a different security context (and hence security label). It should be simple to restrict this access, regardless of parent directory. > As another example - how would you implement "don't remove other user's files > in a +t directory" in SELinux? Note that nobody seems to think that *that* > semantic isn't sane and desireable - but it's equally hard to state in SELinux, > for the same reasons. I don't understand the point here? The nornal kernel DAC check will catch this before you ever get to the security hook. thanks, -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
This archive was generated by hypermail 2.1.3 : Wed Oct 27 2004 - 11:26:46 PDT