On Wed, 2004-04-21 at 18:57, Thomas Bleher wrote:
Not sure what you mean by "incompatible". Writing policy
for fam is not
difficult, in fact I have written some policy for fam some time ago
(diff against CVS attached). It is however impossible to prevent some
information leakage when using fam. The attached policy is very liberal
regarding this, allowing any userdomain to monitor any file. For a more
secure setup fam should only be able to monitor user_home_t and
user_tmp_t.
Well, that's not the only thing that it's desirable to monitor. For
example, the GNOME theme manager monitors the theme installation
directory, so if you install a new theme, it automatically shows up in
the theme list. Similarly with the menu system.
A full solution requires modifications to fam: it should check the
security context of the caller (like it does already with uid and gid)
and only monitor the files if they can be accessed by the caller.
Right - I think someone here looked at doing that and just gave up. We
have someone working on writing a new file monitoring system, hopefully
something will happen there soon.
Anyways, I think it makes some sense to include your FAM policy as a
temporary solution for people who run SELinux and also want the file
monitoring. But I will leave that decision up to Dan Walsh, the main
policy maintainer. Hopefully he'll comment here.
I see you're using Arch to maintain the policy, very cool. I really
wish we could do that here. Editing patches in Emacs' diff-mode and
committing to CVS just isn't quite the same...