On Wed, 2013-10-30 at 11:13 -0400, Daniel J Walsh wrote: > On 10/30/2013 10:11 AM, Matthew Miller wrote: > > There is some concern on the devel mailing list about user-writable > > directories in the default $PATH -- initially discussion about > > ~/.local/bin as a hidden file, but now also out to ~/bin as well. I notice > > that these are home_bin_t. What does this do with the current policy, and > > what more could we do? (Particularly, a compromised application shouldn't > > be able to put binaries there, but a shell script or something like `pip > > install` probably _should_ be able to.) > > > I responded on the other email on what these labels do. > > Confining user space is difficult, since most people do not want stuff to > break and blocking apps from writing general places in the homedir is difficult. > > I think the future with confined applications where the application runs > within a container and does not get direct access to the users homedir is the > only way to handle this. Difficult: sure, impossible: i do not think so. I have proof that it is possible, if one sets clear goals, boundaries, and realistic expectations. I do not think containers are a silver bullet, and that MCS is a solution to all problems. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
