On Fri, Jul 31, 2020 at 9:59 AM Gionatan Danti <g.danti(a)assyoma.it> wrote:
Il 2020-07-30 10:11 Ondrej Mosnacek ha scritto:
> So for Fedora it might indeed make sense to add some
> "domain_can_read_symlinks" boolean for people who customize things
> with symlinks a lot... But there might be other reasons for being
> careful with symlinks that you or I haven't thought of :) I'd suggest
> asking on the upstream mailing list (selinux(a)vger.kernel.org) on
> if/why it's a good idea to follow the principle of least privilege
> also for symlinks. You are likely to get a more educated answer there.
The boolean "can_read_symlinks" is, indeed, a very good idea. I'll ask
on upstream mailing list as you suggested.
Just to clarify: The upstream ML is a place for general discussions
about SELinux itself. Just in case you intend to mention the boolean
there - for that you should rather file a BZ against selinux-policy on
Fedora. I recommended the list specifically for the general question
> I don't understand what is meant here... Do you have a link to the
> bugzilla in question?
Sorry, it was not on bugzilla, but on this same list:
I think Stephen meant something along the lines that our policy macros
should account for the possibility of system directories to be
symlinked and generate the appropriate allow rules alongside the dir
ones. Which would be a better solution, but likely also a lot of work
to fix everywhere properly :/
Software Engineer, Platform Security - SELinux kernel
Red Hat, Inc.