From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [ irc patch 1/1] Extend the IRC domain to include IRSSI.
Date: Wed, 23 Jun 2010 10:55:32 +0200 [thread overview]
Message-ID: <4C21CC04.1010606@gmail.com> (raw)
In-Reply-To: <1277236148.19832.6.camel@gorn.columbia.tresys.com>
On 06/22/2010 09:49 PM, Christopher J. PeBenito wrote:
Some more arguments:
>> +## <desc>
>> +## <p>
>> +## Allow IRC Clients to connect to any TCP port,
>> +## and to bind TCP sockets to any unreserved port.
>> +## </p>
>> +## </desc>
>> +gen_tunable(irc_can_network, false)
>
> A more specific name would be better. Maybe irc_full_networking or
> something.
>
irc_full_network sounds consistent. qemu uses a similar boolean
"qemu_full_network"
>>
>> +type irc_etc_t;
>> +files_config_file(irc_etc_t)
>
> Why is this necessary? From what I can tell, irc_t only reads it.
> Irc_t already can read etc_t files, so this seems unnecessary.
>
Few arguments here:
1. possible sensitive data.
2. irc_admin()
3. mozilla also has a mozilla_etc_t and also has access to
files_read_etc_files() afaik.
>> optional_policy(`
>> + automount_dontaudit_getattr_tmp_dirs(irc_t)
>> +')
>> +
>> +optional_policy(`
>> nis_use_ypbind(irc_t)
>> ')
>> +
>> +optional_policy(`
>> + nscd_socket_use(irc_t)
>> +')
>
> These two and the netlink_route socket earlier makes it look like its
> going towards auth_use_nsswitch().
>
Mozilla also has "automount_dontaudit_getattr_tmp_dirs",
"nscd_socket_use" and "... self:netlink_route_socket
r_netlink_socket_perms;", but does NOT have auth_use_nsswitch().
So either mozillas policy is wrong here too or it is unrelated.
Fact remains that irssi searches nscd pid directories, likely looking
for the nscd.socket to connectto.
automount_dontaudit_getattr_tmp_dirs(irc_t) is in my view not specific
to irc clients, but since the irc domain can own temporary objects, my
opinion is that we should support it.
All in all, personally i would only change the boolean name and leave
the rest unchanged.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100623/ee8881b6/attachment.bin
next prev parent reply other threads:[~2010-06-23 8:55 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-22 19:36 [refpolicy] [ irc patch 1/1] Extend the IRC domain to include IRSSI Dominick Grift
2010-06-22 19:49 ` Christopher J. PeBenito
2010-06-22 21:14 ` Dominick Grift
2010-06-23 8:55 ` Dominick Grift [this message]
2010-06-23 12:15 ` Christopher J. PeBenito
2010-06-23 12:28 ` Dominick Grift
2010-06-23 13:49 ` Christopher J. PeBenito
2010-06-23 13:50 ` Christopher J. PeBenito
2010-06-23 14:18 ` Dominick Grift
2010-06-23 12:35 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C21CC04.1010606@gmail.com \
--to=domg472@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.