Red Hat Bugzilla – Bug 829802
sysnet_read_config does not allow reading symlinks
Last modified: 2012-06-16 20:05:32 EDT
Description of problem:
The sysnet_read_config macro doesn't let the subject read symbolic
links in the network configuration.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create a symbolic link, to, say, an ifcfg-xxx file in /etc/sysconfig/network-scripts
2. Create a policy module that grants sysnet_read_config to a domain
3. Run something in that domain and have it try to follow the symlink
Access permitted; there's no important difference between accessing the file
directly and accessing it via a symlink, nor can the content of a symlink
in the network config reasonably be expected to reveal anything sensitive.
Fixed in selinux-policy-3.10.0-129.fc17
selinux-policy-3.10.0-130.fc17 has been submitted as an update for Fedora 17.
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-130.fc17'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
selinux-policy-3.10.0-130.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.