From: justinmattock@gmail.com (Justin P. mattock)
Date: Mon, 08 Mar 2010 18:25:55 -0800
Subject: [refpolicy] user vs unconfined
In-Reply-To: <201003091314.03493.russell@coker.com.au>
References: <201003091314.03493.russell@coker.com.au>
Message-ID: <4B95B1B3.5080308@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 03/08/2010 06:14 PM, Russell Coker wrote:
> Why do unconfined_t and user_t use the same file types for almost everything
> in the latest policy?
>
> This means that if an unconfined user has bad Unix permissions on their home
> directory then user_t can replace a file that will be executed and therefore
> gain unconfined_t access.
>
> So is there any benefit in using user_t in such a scheme?  If there isn't a
> benefit, and as almost all users of the Fedora policy will only use
> unconfined_t for user sessions it seems that the thing to do would be to
> restore the previous separation of user_t, staff_t, sysadm_t, and
> unconfined_t for those who need it as it won't actually affect the Fedora
> users.
>
> Or of course I could just maintain a private fork of the policy for Debian.
>
> Since 2002 the Debian policy has denied root:user_r:user_t the ability to take
> over the system and I plan to keep it that way.
>


doesn't matter to me(although my opinion probably doesn't matter).
let me know I can load up the latest policy and see.

Justin P. Mattock