[refpolicy] new policy pyicqt

[stefan@seekline.net (Stefan Schulze Frielinghaus)]

On Sun, 2009-10-25 at 17:30 +0100, Dominick Grift wrote:
> On Sun, 2009-10-25 at 16:09 +0100, Stefan Schulze Frielinghaus wrote:
> > On Sun, 2009-10-25 at 15:48 +0100, Dominick Grift wrote:
> > [...] 
> > > allow pyicqt_t self:fifo_files rw_fifo_file_perms;
> > 
> > I only included read/write perms because the app didn't complain on all
> > the other permissions which rw_fifo_file_perms will include. But if it
> > is common to use the set of permissions I will change this.
> 
> > [...] 
> > > files_spool_filetrans(pyicqt_t, pyicqt_spool_t, { dir file })
> > 
> > Why should we introduce this rule? PyICQt only writes into a directory
> > labeled as pyicqt_spool_t and therefore all new files will inherit the
> > type.
> 
> So are you saying that /var/spool/pyicq-t gets installed by the package?

PyICQt is installed by default on Fedora to run as non root user. So,
yes, /var/{run,spool}/pyicq-t is installed by the RPM package. But I
think I know what you mean. What happens if another distro runs PyICQt
as root and uses /var/run as the base pidfile directory. I will include
this rule to make sure that other distributions won't run into trouble.

[...] 
> > > files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file)
> > 
> > Same again here. Why? PyICQt writes to /var/run/pyicq-t which is labeled
> > as pyicqt_var_run_t and therefore all new files will inherit this type.
> 
> So /var/run/pyicq-t gets installed by the package?

Same as above.

[...]
> See http://oss.tresys.com/projects/refpolicy/wiki/StyleGuide

Hey, cool, wasn't aware of such a style guide. Thanks for the link and
the policy review. I will work on the suggestions and submit a new
policy.