From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [ irc patch 1/1] Extend the IRC domain to include IRSSI.
Date: Tue, 22 Jun 2010 23:14:28 +0200 [thread overview]
Message-ID: <4C2127B4.3080909@gmail.com> (raw)
In-Reply-To: <1277236148.19832.6.camel@gorn.columbia.tresys.com>
On 06/22/2010 09:49 PM, Christopher J. PeBenito wrote:
>> +## <desc>
>> +## <p>
>> +## Allow IRC Clients to connect to any TCP port,
>> +## and to bind TCP sockets to any unreserved port.
>> +## </p>
>> +## </desc>
>> +gen_tunable(irc_can_network, false)
>
> A more specific name would be better. Maybe irc_full_networking or
> something.
I had something like that "irc_use_full_network" but i thought you would
like this better becausse of other domain use similar like
"httpd_can_network_connect" etc. Feel free to change it.
>> +type irc_etc_t;
>> +files_config_file(irc_etc_t)
>
> Why is this necessary? From what I can tell, irc_t only reads it.
> Irc_t already can read etc_t files, so this seems unnecessary.
No particular reason although i am not sure if this file can hold
sensitive information. It might also come in handy for an irc_admin()
although that would be the only thing one would need irc_admin() for.
Feel free to remove it (and its corresponding file context.
>> optional_policy(`
>> + automount_dontaudit_getattr_tmp_dirs(irc_t)
>> +')
>> +
>> +optional_policy(`
>> nis_use_ypbind(irc_t)
>> ')
>> +
>> +optional_policy(`
>> + nscd_socket_use(irc_t)
>> +')
>
> These two and the netlink_route socket earlier makes it look like its
> going towards auth_use_nsswitch().
Both are actually untested. Although the the first is afaik common to
user apps with user home content.
The latter is more a guess because irssi wants to search nscd pid. So i
am assuming that it does that because it supports nscd (if one have nscd
enabled, which i do not)
So feel free to either remove that and add nscd_dontaudit_search_pid()
(or similar) or add the auth_use_nsswitch(irc_t)
Can you apply these changes or do i have to submit a new patch?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100622/ca85ec05/attachment.bin
next prev parent reply other threads:[~2010-06-22 21:14 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-22 19:36 [refpolicy] [ irc patch 1/1] Extend the IRC domain to include IRSSI Dominick Grift
2010-06-22 19:49 ` Christopher J. PeBenito
2010-06-22 21:14 ` Dominick Grift [this message]
2010-06-23 8:55 ` Dominick Grift
2010-06-23 12:15 ` Christopher J. PeBenito
2010-06-23 12:28 ` Dominick Grift
2010-06-23 13:49 ` Christopher J. PeBenito
2010-06-23 13:50 ` Christopher J. PeBenito
2010-06-23 14:18 ` Dominick Grift
2010-06-23 12:35 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C2127B4.3080909@gmail.com \
--to=domg472@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.