ainit
Russell Coker
russell at coker.com.au
Thu Jul 21 11:42:23 UTC 2005
The attached patch is needed for correct functionality of ainit with the
latest strict policy when running reasonably recent rawhide packages.
Is this really what we want? Having a system process allocate shared memory
that can be used by any user processes? Also it seems likely that other
sound programs will need to access the shared memory in question.
There are three possible assumptions that we could make:
1) Anyone who is serious about security doesn't use ALSA so such access
doesn't matter that much.
2) Sound devices are a channel for communication anyway so it doesn't really
grant any new access. NB I don't know enough about sound programming to
know whether this assumption is correct. Does ALSA require that a shared
memory segment be available to all programs that are accessing the sound
device? If so the assumption holds for ALSA. Can an application stuff some
data into the sound hardware without using the user-space code from ALSA in
such a way that another application can read it?
3) We need to have pam_console launch programs such as ainit in a context
determined by the user role.
Option 3 might be the best one long-term.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
-------------- next part --------------
A non-text attachment was scrubbed...
Name: alsa.diff
Type: text/x-diff
Size: 1033 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20050721/aa541f5b/attachment.bin>
More information about the fedora-selinux-list
mailing list