On Fri, May 01, 2009 at 10:31:12 -0400, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > I would like to run restorecond as a user service rather then as system > service. I want to run it under the Users UID and under with the users > context. > > Then I can have it watch for creation of files in the users home > directory and be the equivalent of running restorecon ~/ by the user. This seems to increase the risk of hostile apps being able to get executables relabelled to something they couldn't do directly. If the app has the ability to write the directory it can replace a file labelled with a label it couldn't couldn't assign directly with another file and then wait for restorecond to change the label. While the same thing would happen with a relabel or running restorecon manually, currently there is a lot more opportunity to discover the problem before the file is relabelled. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
