-----BEGIN PGP SIGNED MESSAGE-----
On 10/30/2013 11:09 AM, Matthew Miller wrote:
On Wed, Oct 30, 2013 at 09:50:58AM -0500, Bruno Wolff III wrote:
>> There is some concern on the devel mailing list about user-writable
>> directories in the default $PATH -- initially discussion about
>> ~/.local/bin as a hidden file, but now also out to ~/bin as well. I
>> notice that these are home_bin_t. What does this do with the current
>> policy, and what more could we do? (Particularly, a compromised
>> application shouldn't be able to put binaries there, but a shell script
>> or something like `pip install` probably _should_ be able to.)
> As was also pointed out in that thread, if you are going to worry about
> those directories, you should also worry about dot files used when
> starting up shells (.login, .cshrc, .profile and the like).
Right, I was the one who pointed that out in that thread. And, sure, let's
worry about them too. What can SELinux do for us?
Well currently we don't allow confined apps to write to those files if at all
possible. Those files are labeled user_home_t and types like mozilla_plugin_t
and chrome_sandbox_t are not allowed to write user_home_t.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----