On Mon, Nov 24, 2008 at 10:40:56 -0500,
Daniel J Walsh <dwalsh(a)redhat.com> wrote:
A couple of things, people have asked for the ability to stop the
execution of programs in the homedir. So the least priv app does not
have the ability to execute content. Since xguest has the ability to
execute perl, sh, python and other interpreters, the value of shutting
down execution in the homedir is questionable. This means
~/bin/myscript.sh will fail, but sh ~/bin/myscript.sh will work. The
blocking of execution does work for all compiled code.
OK, that explains what I was seeing.
The policy is for the boolean allows the execution of user_home_t,
but
not other labeled file in the homedir, which is a bug.
And I think that explains why changing the booleans didn't fix my specific
situation.
Thanks for the explanation.