SELinux issues

[Colin Walters]

On Wed, 2004-04-21 at 18:57, Thomas Bleher wrote:

> Not sure what you mean by "incompatible". Writing policy for fam is not
> difficult, in fact I have written some policy for fam some time ago
> (diff against CVS attached). It is however impossible to prevent some
> information leakage when using fam. The attached policy is very liberal
> regarding this, allowing any userdomain to monitor any file. For a more
> secure setup fam should only be able to monitor user_home_t and
> user_tmp_t. 

Well, that's not the only thing that it's desirable to monitor.  For
example, the GNOME theme manager monitors the theme installation
directory, so if you install a new theme, it automatically shows up in
the theme list.  Similarly with the menu system.

> A full solution requires modifications to fam: it should check the
> security context of the caller (like it does already with uid and gid)
> and only monitor the files if they can be accessed by the caller.

Right - I think someone here looked at doing that and just gave up.  We
have someone working on writing a new file monitoring system, hopefully
something will happen there soon.

Anyways, I think it makes some sense to include your FAM policy as a
temporary solution for people who run SELinux and also want the file
monitoring.  But I will leave that decision up to Dan Walsh, the main
policy maintainer.  Hopefully he'll comment here.

> http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages

I see you're using Arch to maintain the policy, very cool.  I really
wish we could do that here.  Editing patches in Emacs' diff-mode and
committing to CVS just isn't quite the same...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20040421/bfe79e4a/attachment.sig>