dmesg errors (sgi_fam)
Daniel J Walsh
dwalsh at redhat.com
Thu Mar 18 04:01:37 UTC 2004
Russell Coker wrote:
>On Wed, 17 Mar 2004 22:39, Martin Ebourne <lists at ebourne.me.uk> wrote:
>
>
>>Russell Coker <russell at coker.com.au> wrote:
>>
>>
>>>The problem is that famd is an application which accepts network
>>>connections, wants read access to every file that any user can access.
>>>If you want to have a secure system you don't want many such programs.
>>>
>>>
>>Surely it doesn't need access to the file contents - just to stat them, so
>>access to directories (still a security issue, I agree).
>>
>>
>
>Giving access to file names is still a security issue. If it can run with
>only { getattr search } access to directories and getattr access to files
>then it won't be so bad. Of course being able to remotely monitor what files
>someone is writing too also provides some issues (and for some files the
>names are predictable).
>
>
We have turned it off for test2 and intend to have a replacement.
Basically we need one that runs in user space and has access to all
files that
the user has access to. Currently famd does stuff with portmapper and still
requires a network communication even if it is only allowing localhost.
In FC1 it was locked down to localhost.
We realize the that fam provides a needed feature, and are working to
replace it.
Dan
>
>
>>>Remote famd operation is only for non-polling notifications over the
>>>network. For most people having polling for file status changes on NFS
>>>will probably be OK.
>>>
>>>
>>I agree with disabling remote famd, but the original post appeared to be
>>disabling the daemon entirely, which I expect would prevent local file
>>monitoring too. Or do gnome/kde use dnotify directly?
>>
>>
>
>I don't think that the command Dan suggested would turn it off entirely. The
>libfam functionality linked into applications should still do everything you
>want locally.
>
>
>
>>Also, I thought RH/Fedora already shipped with remote famd disabled.
>>
>>
>
>Not last time I checked.
>
>
>
More information about the fedora-selinux-list
mailing list