* Colin Walters <walters@xxxxxxxxxx> [2004-04-19 21:26]: > On Mon, 2004-04-19 at 14:21, jacob wrote: > > * fam & nautilus are the ones spewing out the most avc messages in > > dmesg. > > fam is known to be incompatible with SELinux. I'm working on a patch to > disable it if SELinux is enabled. What nautilus AVC messages are you > seeing? the /initrd one is a known issue, also on my queue of stuff to > fix. Not sure what you mean by "incompatible". Writing policy for fam is not difficult, in fact I have written some policy for fam some time ago (diff against CVS attached). It is however impossible to prevent some information leakage when using fam. The attached policy is very liberal regarding this, allowing any userdomain to monitor any file. For a more secure setup fam should only be able to monitor user_home_t and user_tmp_t. A full solution requires modifications to fam: it should check the security context of the caller (like it does already with uid and gid) and only monitor the files if they can be accessed by the caller. Thomas -- http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA D09E C562 2BAE B2F4 ABE7 Disclaimer: The quote was selected randomly. Really.
--- /dev/null 1970-01-01 01:00:00.000000000 +0100
+++ policy/domains/program/unused/famd.te 2004-04-21 23:43:24.000000000 +0200
@@ -0,0 +1,27 @@
+# DESC famd - File Alteration Monitor (FAM) daemon
+#
+# Author: Thomas Bleher <ThomasBleher@xxxxxx>
+
+rpc_domain(famd)
+allow famd_t self:unix_stream_socket create_stream_socket_perms;
+allow famd_t self:unix_dgram_socket { connect create write };
+allow famd_t self:fifo_file { read write };
+allow famd_t port_t:{ tcp_socket udp_socket } name_bind;
+
+# why does it need this?
+allow famd_t self:capability { chown setgid setuid };
+
+tmp_domain(famd)
+# read /etc/mtab
+allow famd_t etc_runtime_t:file read;
+
+# monitor all files
+allow famd_t { file_type - shadow_t }:dir { search getattr read };
+allow famd_t { file_type - shadow_t }:{ lnk_file file } getattr;
+allow famd_t { file_type - shadow_t }:lnk_file read;
+dontaudit famd_t { sysfs_t security_t domain proc_t }:dir { search getattr read };
+dontaudit famd_t { self proc_t }:{ file lnk_file } getattr;
+
+allow userdomain famd_tmp_t:sock_file write;
+allow userdomain famd_t:unix_stream_socket connectto;
+
--- policy/domains/program/unused/rpcd.te 2004-04-21 23:43:13.000000000 +0200
+++ policy/domains/program/unused/rpcd.te 2004-04-21 23:43:24.000000000 +0200
@@ -12,15 +12,2 @@
#
-define(`rpc_domain', `
-daemon_base_domain($1)
-can_network($1_t)
-allow $1_t etc_t:file { getattr read };
-read_locale($1_t)
-allow $1_t self:capability net_bind_service;
-
-allow $1_t var_t:dir { getattr search };
-allow $1_t var_lib_t:dir { search };
-allow $1_t var_lib_nfs_t:dir create_dir_perms;
-allow $1_t var_lib_nfs_t:file create_file_perms;
-')
-
# rpcd_t is the domain of rpc daemons.
--- /dev/null 1970-01-01 01:00:00.000000000 +0100
+++ policy/file_contexts/program/famd.fc 2004-04-21 23:43:24.000000000 +0200
@@ -0,0 +1,2 @@
+# famd
+/usr/sbin/famd -- system_u:object_r:famd_exec_t
--- /dev/null 1970-01-01 01:00:00.000000000 +0100
+++ policy/macros/program/rpcd_macros.te 2004-04-21 23:43:24.000000000 +0200
@@ -0,0 +1,19 @@
+# Macros for RPCD-domains
+#
+# Authors: Stephen Smalley <sds@xxxxxxxxxxxxxx> and Timothy Fraser
+# Russell Coker <russell@xxxxxxxxxxxx>
+#
+
+define(`rpc_domain', `
+daemon_base_domain($1)
+can_network($1_t)
+allow $1_t etc_t:file { getattr read };
+read_locale($1_t)
+allow $1_t self:capability net_bind_service;
+
+allow $1_t var_t:dir { getattr search };
+allow $1_t var_lib_t:dir { search };
+allow $1_t var_lib_nfs_t:dir create_dir_perms;
+allow $1_t var_lib_nfs_t:file create_file_perms;
+')
+
Attachment:
signature.asc
Description: Digital signature
