[refpolicy] Allowing aplication to run bin_t
Christopher J. PeBenito
cpebenito at tresys.com
Thu Aug 20 11:01:39 CDT 2009
On Thu, 2009-08-20 at 16:14 +0200, Nicky726 wrote:
> when writing a policy for Konqueror I came by to an issue
> of allowing it to run an aplication in bin_t (drkonqi).
> According to Dominick Grift it is no big deal to allow that
> So is that considered safe and what would be possible
> security riscs of allowing it?
The main risk is arbitrary code execution. Many system programs are
labeled bin_t, and konqueror would be able to execute any of them.
These programs are system binaries, so they should be safe to execute
(few domains can write to bin_t). They would still be constrained by
konqueror's domain, so the risk depends on how privileged konqueror is.
Tresys Technology, LLC
(410) 290-1411 x150
More information about the refpolicy