From: michal.svoboda@agents.felk.cvut.cz (Michal Svoboda) Date: Tue, 9 Mar 2010 07:39:50 +0100 Subject: [refpolicy] user vs unconfined In-Reply-To: <201003091314.03493.russell@coker.com.au> References: <201003091314.03493.russell@coker.com.au> Message-ID: <20100309063950.GC3587@myhost.felk.cvut.cz> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Russell Coker wrote: > This means that if an unconfined user has bad Unix permissions on their home > directory then user_t can replace a file that will be executed and therefore > gain unconfined_t access. Shouldn't this be prevented by the UBAC constrains? (ie. the user part of the context matters.) > Or of course I could just maintain a private fork of the policy for Debian. Not a good idea. Michal Svoboda -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100309/fd9f2750/attachment.bin