* Colin Walters <walters(a)redhat.com> [2004-04-19 21:26]:
On Mon, 2004-04-19 at 14:21, jacob wrote:
> * fam & nautilus are the ones spewing out the most avc messages in
> dmesg.
fam is known to be incompatible with SELinux. I'm working on a patch to
disable it if SELinux is enabled. What nautilus AVC messages are you
seeing? the /initrd one is a known issue, also on my queue of stuff to
fix.
Not sure what you mean by "incompatible". Writing policy for fam is not
difficult, in fact I have written some policy for fam some time ago
(diff against CVS attached). It is however impossible to prevent some
information leakage when using fam. The attached policy is very liberal
regarding this, allowing any userdomain to monitor any file. For a more
secure setup fam should only be able to monitor user_home_t and
user_tmp_t.
A full solution requires modifications to fam: it should check the
security context of the caller (like it does already with uid and gid)
and only monitor the files if they can be accessed by the caller.
Thomas
--
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA D09E C562 2BAE B2F4 ABE7
Disclaimer: The quote was selected randomly. Really.