Re: [gamin] gam_server and SElinux
- From: Daniel Veillard <veillard redhat com>
- To: Daniel J Walsh <dwalsh redhat com>
- Cc: gamin-list gnome org
- Subject: Re: [gamin] gam_server and SElinux
- Date: Tue, 13 May 2008 05:09:43 -0400
On Mon, May 12, 2008 at 01:10:12PM -0400, Daniel J Walsh wrote:
> Well most !root UID's run with the same context so it would not be a lot
> of gam_servers running. The problem from an SELinux point of view is,
> when rpm installs are run via packagekitd they run as rpm_t which is a
> very unconfined domain, later if a confined domain can talk to gamin it
> can circumvent security. So I guess the question would be, what does
> the library do when it is gamin_server connect call is denied? How does
> the gamin_library find the gamin_server that is running with the correct
> UID?
very simple, the server export an (abstract i.e. not mapped on the
file system) socket using the username in the path as I pointed out in
comment #18 of https://bugzilla.redhat.com/show_bug.cgi?id=437633
If you were to generalize that you would have to expand that
socket name with some sort of identifier for the SELinux context used
probably in the fallback. Might not be that hard for someone knowing
SELinux, but the real challenge is in testing/deploying and making sure
it doesn't break in various scenario. As already stated but worth repeating
gamin debugging is really not fun. But if you think it's worth chasing
go for it, there is some debugging help see for example
http://www.gnome.org/~veillard/gamin/debug.html
see
http://www.gnome.org/~veillard/gamin/security.html
for a description on the assumptions and the socket name(s)
Daniel
--
Red Hat Virtualization group http://redhat.com/virtualization/
Daniel Veillard | virtualization library http://libvirt.org/
veillard redhat com | libxml GNOME XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/
[
Date Prev][Date Next] [
Thread Prev][Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
