Re: [refpolicy] policy & patch for bitlbee

[Devin Carraway <selinux-list@devin.com>]

[-- Attachment #1: Type: text/plain, Size: 1299 bytes --]

On Sat, Aug 25, 2007 at 06:31:44AM -0400, Daniel J Walsh wrote:
> First comment, if you have files directories that the confined domain
> does not need to write, and the data within is not secret,  IE You dont
> want other domains to be able to read it.  DO NOT create a type.  Just
> leave the files the default type, and use the interface to allow you
> domain to read it.

Hmm, okay.  bitlbee_share_t I put in not because /usr/share/bitlbee contains
anything sensitive (just one helpfile, at the moment), but because it has no
need to read any files of type usr_t, so by making a type for it I could avoid
granting anything on usr_t:file (usr_t:dir has r/o perms implied by
libs_legacy_use_shared_libs()).  Should I go ahead and let it read usr_t:file
for sake of avoiding the extra type, trading off a somewhat broader scope of
access for the domain?

> type bitlbee_conf_t;
> files_config_file(bitlbee_conf_t)

There's a single sensitive piece of data here, namely an (optional) password
to connect to the bitlbee server -- roughly analogous in policy terms to an
Apache htpasswd/htdigest file.

Thanks for the feedback!


-- 
Devin  \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]