Strange restriction for setfiles_t
Miroslav Grepl
mgrepl at redhat.com
Wed Jan 7 09:20:21 UTC 2015
On 01/06/2015 03:20 PM, Daniel J Walsh wrote:
> We are actually removing some of these transitions from unconfined_t in
> RHEL7 and latest
> Fedoras.
>
> setfiles_t probably should be allowed to read all files, since it can
> change the label on all files,
> no much security bought by this.
Yes, I agree. Could you open a new bug?
>
> On 01/05/2015 08:45 PM, Robert Nichols wrote:
>> I find it odd that a setfiles_t process is allowed to read user_home_t
>> files but not admin_home_t. So, to use "semanage -i ..." I need to
>> store the file in a less protected location?
>> (Or use "cat xxx | semanage -i", of course.)
>>
>> type=AVC msg=audit(1420507367.059:518): avc: denied { read } for
>> pid=13112 comm="setfiles" path="/root/SElinux/contexts" dev=dm-0
>> ino=560291
>> scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023
>> tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
>>
>> selinux-policy-3.7.19-260.el6_6.1.noarch
>> selinux-policy-targeted-3.7.19-260.el6_6.1.noarch
>>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
More information about the selinux
mailing list