-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/30/2013 11:09 AM, Matthew Miller wrote: > On Wed, Oct 30, 2013 at 09:50:58AM -0500, Bruno Wolff III wrote: >>> There is some concern on the devel mailing list about user-writable >>> directories in the default $PATH -- initially discussion about >>> ~/.local/bin as a hidden file, but now also out to ~/bin as well. I >>> notice that these are home_bin_t. What does this do with the current >>> policy, and what more could we do? (Particularly, a compromised >>> application shouldn't be able to put binaries there, but a shell script >>> or something like `pip install` probably _should_ be able to.) >> As was also pointed out in that thread, if you are going to worry about >> those directories, you should also worry about dot files used when >> starting up shells (.login, .cshrc, .profile and the like). > > Right, I was the one who pointed that out in that thread. And, sure, let's > worry about them too. What can SELinux do for us? > Well currently we don't allow confined apps to write to those files if at all possible. Those files are labeled user_home_t and types like mozilla_plugin_t and chrome_sandbox_t are not allowed to write user_home_t. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJxIlAACgkQrlYvE4MpobNAEACg4ilpZyax/snyDncu0mn696sg vY8An1d6duw02sF/jTP3oAAg4NI08rPi =WJmM -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
