-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/30/2013 11:43 AM, Dominick Grift wrote:
On Wed, 2013-10-30 at 11:13 -0400, Daniel J Walsh wrote:
> On 10/30/2013 10:11 AM, Matthew Miller wrote:
>> There is some concern on the devel mailing list about user-writable
>> directories in the default $PATH -- initially discussion about
>> ~/.local/bin as a hidden file, but now also out to ~/bin as well. I
>> notice that these are home_bin_t. What does this do with the current
>> policy, and what more could we do? (Particularly, a compromised
>> application shouldn't be able to put binaries there, but a shell script
>> or something like `pip install` probably _should_ be able to.)
>>
> I responded on the other email on what these labels do.
>
> Confining user space is difficult, since most people do not want stuff
> to break and blocking apps from writing general places in the homedir is
> difficult.
>
> I think the future with confined applications where the application runs
> within a container and does not get direct access to the users homedir is
> the only way to handle this.
Difficult: sure, impossible: i do not think so.
I have proof that it is possible, if one sets clear goals, boundaries, and
realistic expectations.
I do not think containers are a silver bullet, and that MCS is a solution
to all problems.
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Well in this case I would like to potentially run these container/apps with
Types like firefox_t and ooffice_t, but more generically with app_t where
app_t is not allowed to touch user_home_t.
But we are going far a field of this email chain, and we can revisit this when
we actually have applications containers.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlJxK14ACgkQrlYvE4MpobOdVwCfYeAIAsaqDPi71RuvfmeqY54B
hcgAn0ufeGqXYggf4F3EYbDo/YVZPIFw
=z5I7
-----END PGP SIGNATURE-----