Bug 431185
Summary: | tmpwatch has problem with mislabeled files in /tmp | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Matěj Cepl <mcepl> | ||||
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | rawhide | CC: | dwalsh, mcepl | ||||
Target Milestone: | --- | Keywords: | SELinux | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2008-02-02 04:47:16 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Matěj Cepl
2008-02-01 12:23:25 UTC
Created attachment 293717 [details]
Proposed fix
Two things, First this will work, since /tmp/XYZ is labeled <<none>> Which tells restorecon to do nothing. You can test this out by running your example above. secondly if this did work, it would not work for the people who worry about security since it would open a channel for downgrading data. I could take a top secret document, put it in /tmp and remove the topsecret classification. Finally certain files in /tmp have labels in /tmp that we want to maintain. For example kerberos host cache files. I think a better fix would be to allow tmpreaper to read/delete user home directory files, since I have been telling people that /tmp is for use by normal users, it would not be surprising for a normal user to mv files from his home dir to /tmp. Fixed in selinux-policy-3.2.5-25.fc9 |