The current strict-mls policy allows all user domains to modify
their own /proc/self/attr/fscreate file because of the following
line in base_user_template of userdomain.if
allow $1_t self:process { ptrace setfscreate };
I know that does not mean a user can create files with any
desired context, because the policy will apply restrictions
at the file creation time. However, I was wondering why
unprivileged user domains need the ability to update their
/proc/self/attr/fscreate file. From evaluation perspective,
fscreate file is a security relevant file, whose modification
is supposed to be restricted and audited. Any ideas?
Thanks.
-Janak
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
