preventing unconfined users exec in home and tmp
Daniel J Walsh
dwalsh at redhat.com
Tue Dec 2 20:25:38 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Murray McAllister wrote:
> Murray McAllister wrote:
>> Hi,
>>
>> I have turned "allow_unconfined_exec_content" off, but unconfined
>> users (unconfined_u) can still execute files in their home directories
>> and /tmp/.
>>
>> I tried adding a user with "useradd -Z unconfined_u". This user can
>> still execute. I could not find any dontaudit rules.
>>
>> Am I missing something?
> I am running Fedora release 10 (Cambridge):
>
> selinux-policy-targeted-3.5.13-18.fc10.noarch
> selinux-policy-3.5.13-18.fc10.noarch
> selinux-policy-doc-3.5.13-18.fc10.noarch
> libselinux-utils-2.0.73-1.fc10.i386
> libselinux-python-2.0.73-1.fc10.i386
> libselinux-2.0.73-1.fc10.i386
> policycoreutils-2.0.57-11.fc10.i386
>
> Cheers.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Yes this boolean really should not exist, it is caused by calling an
interface. that allows PARAM to execute user_home_t, but unconfiened_t
can already execute any file on the system so the boolean has no effect.
The boolean only works for confined users.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkk1mcIACgkQrlYvE4MpobNI9gCglCtb/KiWAJGUW5Batvngsf3e
dQQAnRsPCndAvOw7o3ADhFL89qZq3fDI
=rUbd
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list