SELinux issues
Colin Walters
walters at redhat.com
Wed Apr 21 23:34:52 UTC 2004
On Wed, 2004-04-21 at 18:57, Thomas Bleher wrote:
> Not sure what you mean by "incompatible". Writing policy for fam is not
> difficult, in fact I have written some policy for fam some time ago
> (diff against CVS attached). It is however impossible to prevent some
> information leakage when using fam. The attached policy is very liberal
> regarding this, allowing any userdomain to monitor any file. For a more
> secure setup fam should only be able to monitor user_home_t and
> user_tmp_t.
Well, that's not the only thing that it's desirable to monitor. For
example, the GNOME theme manager monitors the theme installation
directory, so if you install a new theme, it automatically shows up in
the theme list. Similarly with the menu system.
> A full solution requires modifications to fam: it should check the
> security context of the caller (like it does already with uid and gid)
> and only monitor the files if they can be accessed by the caller.
Right - I think someone here looked at doing that and just gave up. We
have someone working on writing a new file monitoring system, hopefully
something will happen there soon.
Anyways, I think it makes some sense to include your FAM policy as a
temporary solution for people who run SELinux and also want the file
monitoring. But I will leave that decision up to Dan Walsh, the main
policy maintainer. Hopefully he'll comment here.
> http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
I see you're using Arch to maintain the policy, very cool. I really
wish we could do that here. Editing patches in Emacs' diff-mode and
committing to CVS just isn't quite the same...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20040421/bfe79e4a/attachment.sig>
More information about the fedora-selinux-list
mailing list