[refpolicy] [ irc patch 1/1] Extend the IRC domain to include IRSSI.

[domg472@gmail.com (Dominick Grift)]

On 06/23/2010 02:15 PM, Christopher J. PeBenito wrote:

>>>>  
>>>> +type irc_etc_t;
>>>> +files_config_file(irc_etc_t)
>>>
>>> Why is this necessary?  From what I can tell, irc_t only reads it.
>>> Irc_t already can read etc_t files, so this seems unnecessary.
>>>
>>
>> Few arguments here:
>>
>> 1. possible sensitive data.
> 
> Such as?
> 

For example: "proxy_password = "";"

>> 2. irc_admin()
> 
> I'm not really compelled by this.  I don't think regular apps have
> admins.

Well this is a system-wide config in /etc/irssi.conf only an (irc) admin
can set system-wide overrides.

> 
>> 3. mozilla also has a mozilla_etc_t and also has access to
>> files_read_etc_files() afaik.
> 
> If anything, this just tells me that mozilla is wrong too.

That may indeed be wrong but i still believe irc_etc_t is the right
thing to do for irc_t.

>>>>  optional_policy(`
>>>> +	automount_dontaudit_getattr_tmp_dirs(irc_t)
>>>> +')
>>>> +
>>>> +optional_policy(`
>>>>  	nis_use_ypbind(irc_t)
>>>>  ')
>>>> +
>>>> +optional_policy(`
>>>> +	nscd_socket_use(irc_t)
>>>> +')
>>>
>>> These two and the netlink_route socket earlier makes it look like its
>>> going towards auth_use_nsswitch().
>>>
>>
>> Mozilla also has "automount_dontaudit_getattr_tmp_dirs",
>> "nscd_socket_use" and "... self:netlink_route_socket
>> r_netlink_socket_perms;", but does NOT have auth_use_nsswitch().
> 
> I mean the nis_use_ypbind(), nscd_socket_use(), and netlink_route_socket
> perms.  Mozilla does not have nis_use_ypbind(), so it doesn't seem to
> need auth_use_nsswitch() yet.  Thats not the case here.
> 
>> So either mozillas policy is wrong here too or it is unrelated.
>>
>> Fact remains that irssi searches nscd pid directories, likely looking
>> for the nscd.socket to connectto.
>>
>> automount_dontaudit_getattr_tmp_dirs(irc_t) is in my view not specific
>> to irc clients, but since the irc domain can own temporary objects, my
>> opinion is that we should support it.
>>
>> All in all, personally i would only change the boolean name and leave
>> the rest unchanged.
>>
> 

I am not sure here. Like i said before; i do not have a nis nor ldap or
nscd configuration. The netlink socket perms are confirmed to be
required for irssi, and i can also confirm that irssi atleast searches
nscd pid directories. I can only assume it does that to find the
nscd.socket.

If you are not comfortable with adding auth_use_nsswitch(irc_t), then
please add nscd_dontaudit_search_pid() and remove the nscd_socket_use
and nis_use_ypbind.

For what it is worth: In my personal branch i decided to just add
auth_use_nsswitch(irc_t).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100623/83f9d736/attachment.bin