Hard link to root-owned file now fails (since Fedora 19)

Richard W.M. Jones rjones at redhat.com
Tue Jul 16 09:42:02 UTC 2013


On Tue, Jul 16, 2013 at 10:42:10AM +0200, Florian Weimer wrote:
> On 07/15/2013 07:32 PM, Richard W.M. Jones wrote:
> 
> >Why?
> 
> Without it, it's possible to exploit certain weaknesses to make
> /etc/shadow word-readable or worse, for example.
> 
> Hard links are fundamentally incompatible with the way we run
> SELinux, and this change mitigates that issue to some extent.

Any more information on this.

FWIW this change caused a segfault in OpenStack (now fixed, but
there's a larger problem remaining - RHBZ#983218).

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming blog: http://rwmj.wordpress.com
Fedora now supports 80 OCaml packages (the OPEN alternative to F#)


More information about the devel mailing list