On Wed, 2013-10-30 at 10:11 -0400, Matthew Miller wrote:
> There is some concern on the devel mailing list about user-writable
> directories in the default $PATH -- initially discussion about ~/.local/bin
> as a hidden file, but now also out to ~/bin as well. I notice that these are
> home_bin_t. What does this do with the current policy, and what more could
> we do? (Particularly, a compromised application shouldn't be able to put
> binaries there, but a shell script or something like `pip install` probably
> _should_ be able to.)
>
home_bin_t, i believe was implemented so that select system services
would be able to run executable files with that type ( usually generic
binaries in user home directories )
> # sesearch -ASCT -t home_bin_t -p execute_no_trans | grep home_bin_t
> allow postfix_local_t home_bin_t : file { ioctl read getattr execute execute_no_trans open } ;
> allow procmail_t home_bin_t : file { ioctl read getattr execute execute_no_trans open } ;
I looks like postfix_loca_t, and procmail_t were the reason to implement this executable user home type
What we could to is target applications, the user domain itself will eventually need full access to all user home content types.
So , what do?
Make the user run targeted applications outside of the user domain.
Then we can allow those targeted applications, if it makes sense, pretty much full access to generic user content, and
restrict access to non-generic content ( for instance home_bin_t )
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
