From: michal.svoboda@agents.felk.cvut.cz (Michal Svoboda)
Date: Tue, 9 Mar 2010 07:39:50 +0100
Subject: [refpolicy] user vs unconfined
In-Reply-To: <201003091314.03493.russell@coker.com.au>
References: <201003091314.03493.russell@coker.com.au>
Message-ID: <20100309063950.GC3587@myhost.felk.cvut.cz>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Russell Coker wrote:
> This means that if an unconfined user has bad Unix permissions on their home 
> directory then user_t can replace a file that will be executed and therefore 
> gain unconfined_t access.

Shouldn't this be prevented by the UBAC constrains? (ie. the user part
of the context matters.)

> Or of course I could just maintain a private fork of the policy for Debian.

Not a good idea.

Michal Svoboda
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100309/fd9f2750/attachment.bin