Re: what do we do with user_home_t, and what more could we do with it?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/30/2013 11:09 AM, Matthew Miller wrote:
> On Wed, Oct 30, 2013 at 09:50:58AM -0500, Bruno Wolff III wrote:
>>> There is some concern on the devel mailing list about user-writable 
>>> directories in the default $PATH -- initially discussion about
>>> ~/.local/bin as a hidden file, but now also out to ~/bin as well. I
>>> notice that these are home_bin_t. What does this do with the current
>>> policy, and what more could we do? (Particularly, a compromised
>>> application shouldn't be able to put binaries there, but a shell script
>>> or something like `pip install` probably _should_ be able to.)
>> As was also pointed out in that thread, if you are going to worry about
>> those directories, you should also worry about dot files used when
>> starting up shells (.login, .cshrc, .profile and the like).
> 
> Right, I was the one who pointed that out in that thread. And, sure, let's 
> worry about them too. What can SELinux do for us?
> 
Well currently we don't allow confined apps to write to those files if at all
possible.  Those files are labeled user_home_t and types like mozilla_plugin_t
and chrome_sandbox_t are not allowed to write user_home_t.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlJxIlAACgkQrlYvE4MpobNAEACg4ilpZyax/snyDncu0mn696sg
vY8An1d6duw02sF/jTP3oAAg4NI08rPi
=WJmM
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux