[refpolicy] new policy pyicqt

[stefan@seekline.net (Stefan Schulze Frielinghaus)]

On Sun, 2009-10-25 at 15:48 +0100, Dominick Grift wrote:
[...] 
> allow pyicqt_t self:fifo_files rw_fifo_file_perms;

I only included read/write perms because the app didn't complain on all
the other permissions which rw_fifo_file_perms will include. But if it
is common to use the set of permissions I will change this.

[...] 
> files_spool_filetrans(pyicqt_t, pyicqt_spool_t, { dir file })

Why should we introduce this rule? PyICQt only writes into a directory
labeled as pyicqt_spool_t and therefore all new files will inherit the
type.

[...] 
> files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file)

Same again here. Why? PyICQt writes to /var/run/pyicq-t which is labeled
as pyicqt_var_run_t and therefore all new files will inherit this type.

[...] 
> libs ... deprecated upstream

And what interface do we use instead? I guess I need to include a rule
to read lib_t files, right?

[...] 
> > corenet_tcp_connect_generic_port(pyicqt_t)
> > corenet_sendrecv_unlabeled_packets(pyicqt_t)
> 
> for compatibility:
> corenet_all_recvfrom_unlabeled(pyicqt_t)
> corenet_all_recvfrom_netlabel(pyicqt_t)
> corenet_tcp_sendrecv_generic_if(pyicqt_t)
> corenet_tcp_sendrecv_generic_node(pyicqt_t)
> corenet_sendrecv_generic_client_packets(pyicqt_t)

Yep. Will include those. I only included the two interfaces above
because PyICQt didn't complain for other rules. But if they are
mandatory for compatibility I will include them.

> Other:
> Some style issues: example files_read_etc_files is below files_read_usr_files (not in alphabetical order)

Is alphabetic order important? I can change this no problem. But my
actual intention was to group the two interface calls
for /etc/{nsswitch.conf,resolv.conf}.

> pyicqt.if does not have a description.

Yep. But isn't a summary line sufficient?

> You declared pyicqt_var_log_t but nowhere in personal policy pyicqt_t interacts with it.

Uh good point. I will fix that after the other points above are cleared.