-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Murray McAllister wrote: > Murray McAllister wrote: >> Hi, >> >> I have turned "allow_unconfined_exec_content" off, but unconfined >> users (unconfined_u) can still execute files in their home directories >> and /tmp/. >> >> I tried adding a user with "useradd -Z unconfined_u". This user can >> still execute. I could not find any dontaudit rules. >> >> Am I missing something? > I am running Fedora release 10 (Cambridge): > > selinux-policy-targeted-3.5.13-18.fc10.noarch > selinux-policy-3.5.13-18.fc10.noarch > selinux-policy-doc-3.5.13-18.fc10.noarch > libselinux-utils-2.0.73-1.fc10.i386 > libselinux-python-2.0.73-1.fc10.i386 > libselinux-2.0.73-1.fc10.i386 > policycoreutils-2.0.57-11.fc10.i386 > > Cheers. > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Yes this boolean really should not exist, it is caused by calling an interface. that allows PARAM to execute user_home_t, but unconfiened_t can already execute any file on the system so the boolean has no effect. The boolean only works for confined users. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkk1mcIACgkQrlYvE4MpobNI9gCglCtb/KiWAJGUW5Batvngsf3e dQQAnRsPCndAvOw7o3ADhFL89qZq3fDI =rUbd -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
