Hi,
I have turned "allow_unconfined_exec_content" off, but unconfined users (unconfined_u) can still execute files in their home directories and /tmp/.
I tried adding a user with "useradd -Z unconfined_u". This user can still execute. I could not find any dontaudit rules.
Am I missing something?
Thanks.
Murray McAllister wrote:
Hi,
I have turned "allow_unconfined_exec_content" off, but unconfined users (unconfined_u) can still execute files in their home directories and /tmp/.
I tried adding a user with "useradd -Z unconfined_u". This user can still execute. I could not find any dontaudit rules.
Am I missing something?
I am running Fedora release 10 (Cambridge):
selinux-policy-targeted-3.5.13-18.fc10.noarch selinux-policy-3.5.13-18.fc10.noarch selinux-policy-doc-3.5.13-18.fc10.noarch libselinux-utils-2.0.73-1.fc10.i386 libselinux-python-2.0.73-1.fc10.i386 libselinux-2.0.73-1.fc10.i386 policycoreutils-2.0.57-11.fc10.i386
Cheers.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Murray McAllister wrote:
Murray McAllister wrote:
Hi,
I have turned "allow_unconfined_exec_content" off, but unconfined users (unconfined_u) can still execute files in their home directories and /tmp/.
I tried adding a user with "useradd -Z unconfined_u". This user can still execute. I could not find any dontaudit rules.
Am I missing something?
I am running Fedora release 10 (Cambridge):
selinux-policy-targeted-3.5.13-18.fc10.noarch selinux-policy-3.5.13-18.fc10.noarch selinux-policy-doc-3.5.13-18.fc10.noarch libselinux-utils-2.0.73-1.fc10.i386 libselinux-python-2.0.73-1.fc10.i386 libselinux-2.0.73-1.fc10.i386 policycoreutils-2.0.57-11.fc10.i386
Cheers.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Yes this boolean really should not exist, it is caused by calling an interface. that allows PARAM to execute user_home_t, but unconfiened_t can already execute any file on the system so the boolean has no effect. The boolean only works for confined users.
selinux@lists.fedoraproject.org