On Mon, May 12, 2008 at 01:10:12PM -0400, Daniel J Walsh wrote: > Well most !root UID's run with the same context so it would not be a lot > of gam_servers running. The problem from an SELinux point of view is, > when rpm installs are run via packagekitd they run as rpm_t which is a > very unconfined domain, later if a confined domain can talk to gamin it > can circumvent security. So I guess the question would be, what does > the library do when it is gamin_server connect call is denied? How does > the gamin_library find the gamin_server that is running with the correct > UID?
very simple, the server export an (abstract i.e. not mapped on the file system) socket using the username in the path as I pointed out in comment #18 of https://bugzilla.redhat.com/show_bug.cgi?id=437633 If you were to generalize that you would have to expand that socket name with some sort of identifier for the SELinux context used probably in the fallback. Might not be that hard for someone knowing SELinux, but the real challenge is in testing/deploying and making sure it doesn't break in various scenario. As already stated but worth repeating gamin debugging is really not fun. But if you think it's worth chasing go for it, there is some debugging help see for example http://www.gnome.org/~veillard/gamin/debug.html see http://www.gnome.org/~veillard/gamin/security.html for a description on the assumptions and the socket name(s) Daniel -- Red Hat Virtualization group http://redhat.com/virtualization/ Daniel Veillard | virtualization library http://libvirt.org/ [EMAIL PROTECTED] | libxml GNOME XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/ _______________________________________________ Gamin-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/gamin-list
