Why can not user_t link var_lib_t files?
Daniel J Walsh
dwalsh at redhat.com
Mon May 18 12:19:35 UTC 2009
On 05/17/2009 04:26 PM, Göran Uddeborg wrote:
> Dominick Grift writes:
>> Most stuff in /var is system stuff and not for
>> users. So if a user has nothing to do there then no need to give them
>> access either.
>>
>> Stuff like /var/spool/mail/<user> is however accessible.
>
> Most things in /var is ACCESSIBLE. The same user that could not link
> the file had no problems copying it.
>
> I was under the impression that user_u was not meant to be overly
> restricted. It should not be able to do su/sudo and other kinds of
> system work. But apart from that I thought it was meant to be able to
> do most things regular users on non-SELinux systems can do.
>
> That was the impression I got from
> http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html
> among other places. But maybe I have misunderstood things.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Yes user_u is not that restrictive, but the idea is a managed user. I
would tend to think of user who does few commands with the shell. But
please attach the avc's you are seeing? The directory in question might
need a different label.
More information about the selinux
mailing list