[refpolicy] Contribute ctdbd policy from Fedora to Refpolicy

[sven.vermeulen@siphos.be (Sven Vermeulen)]

On Mon, Jan 09, 2012 at 04:22:38PM -0500, Daniel J Walsh wrote:
> > Same here like with boinc, is there a possibility to have some
> > segregation between the "regular" ctdbd_var_lib_t and the files
> > ctdbd_t wants to execute?
> 
> Maybe if these have a constant name, but we have to ask Miroslav.
> Maybe we could use file_name_trans rules, but I still think we end up
> with a type that has to be written and executed by the same domain.

It's a bit odd that it's the "generic" _var_lib_t domain for this purpose.
It gives users a different impression (I don't imagine that any *_var_lib_t
is executed by its "parent" domain).

$ sesearch -c file -p write -A | grep execute | grep var_lib
 allow xserver_t xkb_var_lib_t : file { write ... execute execute_no_trans } ; 

That's the only one on my system where a domain has both write and execute
rights to a _var_lib_t type. When I'm aware of a domain writing and executing
files (because its "flexible" that way) I always hope that this results in a
separate domain (like with boic) or that it isn't for a wide type.

Of course, there are plenty of examples out there where this doesn't hold up
(like logrotate_t having write/execute rights for logrotate_tmp_t) so I'm
not /against/ these policies (boinc and ctdbd), just careful.

Wkr,
	Sven Vermeulen