Procmail can't delete a tmp file but has free reign over regular files???
Robert Nichols
rnicholsNOSPAM at comcast.net
Wed Apr 24 23:25:46 UTC 2013
On 04/23/2013 02:14 PM, Daniel J Walsh wrote:
> On 04/23/2013 02:55 PM, Robert Nichols wrote:
>> A process running as procmail_t can do pretty much anything to files of
>> type user_home_t, but is restricted from the user_tmp_t file in /tmp that I
>> want to use as a semaphore. Were is the logic in that? It's like granting
>> free access to the vault, but locking up the leave-a-penny-take-a-penny
>> jar.
>>
>> From selinux-policy-targeted-3.7.19-195.el6_4.3.noarch:
>>
>> allow procmail_t user_home_t : file { ioctl read write create getattr
>> setattr lock append unlink link rename open } ;
>>
>> allow application_domain_type user_tmp_t : file { getattr append } ;
>>
> It is more about whether or not someone has opened a but on it. No one has
> reported problems with procmail_t ability to create content labeled
> user_tmp_t, but if they did, considering what we allow now, it would be
> granted access.
Would you like to see a bz opened on that or not? I ultimately decided to
do the task in a different way, so it really doesn't matter to me now.
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
More information about the selinux
mailing list