On Wed, 2004-04-21 at 18:57, Thomas Bleher wrote: > Not sure what you mean by "incompatible". Writing policy for fam is not > difficult, in fact I have written some policy for fam some time ago > (diff against CVS attached). It is however impossible to prevent some > information leakage when using fam. The attached policy is very liberal > regarding this, allowing any userdomain to monitor any file. For a more > secure setup fam should only be able to monitor user_home_t and > user_tmp_t. Well, that's not the only thing that it's desirable to monitor. For example, the GNOME theme manager monitors the theme installation directory, so if you install a new theme, it automatically shows up in the theme list. Similarly with the menu system. > A full solution requires modifications to fam: it should check the > security context of the caller (like it does already with uid and gid) > and only monitor the files if they can be accessed by the caller. Right - I think someone here looked at doing that and just gave up. We have someone working on writing a new file monitoring system, hopefully something will happen there soon. Anyways, I think it makes some sense to include your FAM policy as a temporary solution for people who run SELinux and also want the file monitoring. But I will leave that decision up to Dan Walsh, the main policy maintainer. Hopefully he'll comment here. > http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages I see you're using Arch to maintain the policy, very cool. I really wish we could do that here. Editing patches in Emacs' diff-mode and committing to CVS just isn't quite the same...
Attachment:
signature.asc
Description: This is a digitally signed message part
