-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/30/2013 10:11 AM, Matthew Miller wrote: > There is some concern on the devel mailing list about user-writable > directories in the default $PATH -- initially discussion about > ~/.local/bin as a hidden file, but now also out to ~/bin as well. I notice > that these are home_bin_t. What does this do with the current policy, and > what more could we do? (Particularly, a compromised application shouldn't > be able to put binaries there, but a shell script or something like `pip > install` probably _should_ be able to.) > I responded on the other email on what these labels do. Confining user space is difficult, since most people do not want stuff to break and blocking apps from writing general places in the homedir is difficult. I think the future with confined applications where the application runs within a container and does not get direct access to the users homedir is the only way to handle this. Imaging firefox running with its own home dir but when user wants to upload a file or download a file, firefox asks the desktop to launch the file dialog, which runs in a separate process controlled by the user. The user then specifies the file location and file dialog process opens fd or creates fd and passes fd into the firefox container. Now the firefox app can write the FD, but it would not be able to get to ~/bin or ~/.local/bin within the users home dir. Until we get to this type of architecture it is very difficult to confine large apps like Libreoffice, Firefox, Thunderbird, Evolution ... Personally I think if you are going to put ~/bin or ~/.local/bin into the users path they should be at the end of the path rather then the front. Then the user has less chance of executing the wrong executable. Like the mkdir example, but he can still execute applications in his homedir. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJxIgYACgkQrlYvE4MpobNGTQCdFAEHTzj2s5JxwruHztB8+ZMl wFIAn0J2wpk3cJDrVCoEYTU3MNXZVjbh =3ox7 -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
