what do we do with user_home_t, and what more could we do with it?
Daniel J Walsh
dwalsh at redhat.com
Wed Oct 30 15:14:24 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/30/2013 11:09 AM, Matthew Miller wrote:
> On Wed, Oct 30, 2013 at 09:50:58AM -0500, Bruno Wolff III wrote:
>>> There is some concern on the devel mailing list about user-writable
>>> directories in the default $PATH -- initially discussion about
>>> ~/.local/bin as a hidden file, but now also out to ~/bin as well. I
>>> notice that these are home_bin_t. What does this do with the current
>>> policy, and what more could we do? (Particularly, a compromised
>>> application shouldn't be able to put binaries there, but a shell script
>>> or something like `pip install` probably _should_ be able to.)
>> As was also pointed out in that thread, if you are going to worry about
>> those directories, you should also worry about dot files used when
>> starting up shells (.login, .cshrc, .profile and the like).
>
> Right, I was the one who pointed that out in that thread. And, sure, let's
> worry about them too. What can SELinux do for us?
>
Well currently we don't allow confined apps to write to those files if at all
possible. Those files are labeled user_home_t and types like mozilla_plugin_t
and chrome_sandbox_t are not allowed to write user_home_t.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlJxIlAACgkQrlYvE4MpobNAEACg4ilpZyax/snyDncu0mn696sg
vY8An1d6duw02sF/jTP3oAAg4NI08rPi
=WJmM
-----END PGP SIGNATURE-----
More information about the selinux
mailing list