On 09/29/2015 10:18 AM, Mario Rosic wrote:
Hello,
the guest_t type is allowed to browse directories labelled with
admin_home_t but guest_t is not allowed to interact with any
non-directory files labelled with admin_home_t.
That looks inconsistent to me. Why should guest_t be allowed to enter
directories labelled with admin_home_t but not interact with any other
files? Is there a reasoning behind that (i.e. am I missing something) or
should I file a bug report?
In my opinion guest_t shouldn't be able to browse folders labelled with
admin_home_t.
Regards,
Mario
PS
That is on a RHEL7 machine.
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
In Fedora/RHEL policy we allow all domains to search through all
directories. The problem we have is
that we do not know whether labels exist under those directory that
guest_t needs access to.
If an admin created /root/guest_data, then guest_t should be allowed to
get to his data. He should not
be able to get any other data about content in the /root directory. So
ls -l /root should fail. But cd /root/guest_data
should succeed.