From mboxrd@z Thu Jan  1 00:00:00 1970
From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Wed, 14 Nov 2012 21:18:58 +0100
Subject: [refpolicy] [PATCH 3/5] Introduce dontaudits for leaked fd and
 unix stream sockets
In-Reply-To: <1352921851.3654.34.camel@d30.localdomain>
References: <1352566218-17772-1-git-send-email-sven.vermeulen@siphos.be>
	<1352566218-17772-4-git-send-email-sven.vermeulen@siphos.be>
	<1352916373.3654.3.camel@d30.localdomain>
	<20121114192015.GA4196@siphos.be>
	<1352921851.3654.34.camel@d30.localdomain>
Message-ID: <20121114201858.GA10250@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, Nov 14, 2012 at 08:37:31PM +0100, Dominick Grift wrote:
> > Would a more generic "rw_inherited_perms" be sufficient (i.e. without
> > referring to the class)? As far as I know, inherited file descriptors or
> > sockets (or ...) are usually just { read write };
> 
> I do not agree. Many kinds of objects can be inherited (think files,
> blk_files etc), And its often not just { read write };

Ok, my bad, didn't know that.

> I personally am interesting in just a inherited equivalent of any rw
> permission set that is the same except that it lacks the open permission
> (much like fedora does it)

Perhaps we should just use things like:

dontaudit $1 bar_t:file { rw_file_perms ~open } 

if we want to have the same equivalent without open? 

Wkr,
	Sven Vermeulen