On Wed, 2013-10-30 at 09:50 -0500, Bruno Wolff III wrote: > On Wed, Oct 30, 2013 at 10:11:39 -0400, > Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> wrote: > >There is some concern on the devel mailing list about user-writable > >directories in the default $PATH -- initially discussion about ~/.local/bin > >as a hidden file, but now also out to ~/bin as well. I notice that these are > >home_bin_t. What does this do with the current policy, and what more could > >we do? (Particularly, a compromised application shouldn't be able to put > >binaries there, but a shell script or something like `pip install` probably > >_should_ be able to.) > > As was also pointed out in that thread, if you are going to worry about > those directories, you should also worry about dot files used when starting > up shells (.login, .cshrc, .profile and the like). > -- Just give those a private type as well, allow user domains full access to content with the private type, and restrict targeted applications access to content with that type. I actually implemented a policy module that does just that for fedora 19, although i haven't maintained it in the last couple months so it may have developed bugs in the mean while https://github.com/mypublicrepositories/myloginuser video related: https://www.youtube.com/watch?v=EUpxCXGluBI -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
