On Wed, Oct 30, 2013 at 09:50:58AM -0500, Bruno Wolff III wrote:
>There is some concern on the devel mailing list about
user-writable
>directories in the default $PATH -- initially discussion about ~/.local/bin
>as a hidden file, but now also out to ~/bin as well. I notice that these are
>home_bin_t. What does this do with the current policy, and what more could
>we do? (Particularly, a compromised application shouldn't be able to put
>binaries there, but a shell script or something like `pip install` probably
>_should_ be able to.)
As was also pointed out in that thread, if you are going to worry
about those directories, you should also worry about dot files used
when starting up shells (.login, .cshrc, .profile and the like).
Right, I was the one who pointed that out in that thread. And, sure, let's
worry about them too. What can SELinux do for us?
--
Matthew Miller mattdm(a)mattdm.org <
http://mattdm.org/>