From mboxrd@z Thu Jan 1 00:00:00 1970 From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 27 Sep 2013 16:58:12 -0400 Subject: [refpolicy] [PATCH 04/20] seutils: restorecon wants to read /run symbolic link In-Reply-To: <1380199304.2561.5.camel@d30> References: <1380029956-24978-1-git-send-email-dominick.grift@gmail.com> <52442AD5.5020701@tresys.com> <1380199304.2561.5.camel@d30> Message-ID: <5245F164.8000904@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu 26 Sep 2013 08:41:44 AM EDT, Dominick Grift wrote: > On Thu, 2013-09-26 at 08:38 -0400, Christopher J. PeBenito wrote: >> On Tue 24 Sep 2013 09:39:16 AM EDT, Dominick Grift wrote: >>> Do not audit attempts by fixfiles to read all symbolic links >>> >>> Signed-off-by: Dominick Grift >>> --- >>> policy/modules/system/selinuxutil.te | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te >>> index 5622246..ff19d75 100644 >>> --- a/policy/modules/system/selinuxutil.te >>> +++ b/policy/modules/system/selinuxutil.te >>> @@ -552,7 +552,7 @@ files_read_etc_runtime_files(setfiles_t) >>> files_read_etc_files(setfiles_t) >>> files_list_all(setfiles_t) >>> files_relabel_all_files(setfiles_t) >>> -files_read_usr_symlinks(setfiles_t) >>> +files_dontaudit_read_all_symlinks(setfiles_t) >>> >>> fs_getattr_xattr_fs(setfiles_t) >>> fs_list_all(setfiles_t) >> >> Can you further clarify this? Setfiles hasn't changed much in years, >> so I'm unclear on why this change is necessary. > > This is not so much related to setfiles > > its related to recent changes of locations. for example /var/run > -> /run, /bin -> /usr/bin etc. > > So now /var/run is a symlink to /run. > > setfiles doesnt follow symlinks so we might as well silently deny access > to read all symlinks I'm reluctant to remove the usr_t access, since it might be needed from one of the libs setfiles uses, rather than setfiles itself. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com