Bug 146557
Summary: | Samba and getattr / file browsers | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ivan Gyurdiev <ivg231> |
Component: | selinux-policy-strict | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-02-04 16:28:11 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ivan Gyurdiev
2005-01-29 16:41:04 UTC
For example, why is the following necessary? It makes sense to me that I should be able to see all the info. Why not make a macro for such things that does not audit getattr. [phantom@cobra ~]$ ls -lZ /var ?--------- ? ? account drwxr-xr-x root root system_u:object_r:var_t cache drwxr-xr-x root root system_u:object_r:var_t db drwxr-xr-x root root system_u:object_r:var_t empty ?--------- ? ? gdm drwxr-xr-x root root system_u:object_r:var_lib_t lib drwxr-xr-x root root system_u:object_r:var_t local ?--------- ? ? lock drwxr-xr-x root root system_u:object_r:var_log_t log ?--------- ? ? mail ?--------- ? ? named drwx------ root root system_u:object_r:var_t net-snmp drwxr-xr-x root root system_u:object_r:var_t nis drwxr-xr-x root root system_u:object_r:var_t opt drwxr-xr-x root root system_u:object_r:var_t preserve drwxr-xr-x root root system_u:object_r:var_run_t run drwxr-xr-x root root system_u:object_r:var_spool_t spool drwxrwxrwt root root system_u:object_r:tmp_t tmp drwxr-xr-x root root system_u:object_r:httpd_sys_content_t www ?--------- ? ? yp This should be brought up for discussion on the selinux list. Also, what exactly is the difference between an allow rule and a dontaudit rule? Allow allows the action to happen. Dontaudit does not allow the action to happen but doesn't audit it. I am not sure what the best thing to do here is. By using the dontaudit, you could loose valuable security information. IE a rogue app searching your file system. Closed (for now :) |