[refpolicy] [ irc patch 1/1] Extend the IRC domain to include IRSSI.

[domg472@gmail.com (Dominick Grift)]

On 06/23/2010 03:50 PM, Christopher J. PeBenito wrote:
> On Wed, 2010-06-23 at 09:49 -0400, Christopher J. PeBenito wrote:
>> On Wed, 2010-06-23 at 14:28 +0200, Dominick Grift wrote:
>>> On 06/23/2010 02:15 PM, Christopher J. PeBenito wrote:
>>>
>>>>>>>  
>>>>>>> +type irc_etc_t;
>>>>>>> +files_config_file(irc_etc_t)
>>>>>>
>>>>>> Why is this necessary?  From what I can tell, irc_t only reads it.
>>>>>> Irc_t already can read etc_t files, so this seems unnecessary.
>>>>>>
>>>>>
>>>>> Few arguments here:
>>>>>
>>>>> 1. possible sensitive data.
>>>>
>>>> Such as?
>>>>
>>>
>>> For example: "proxy_password = "";"
>>
>> Perhaps.  Though I suspect its actually not that sensitive, and its
>> probably easy to get through the app itself.
>>
>>>>> 2. irc_admin()
>>>>
>>>> I'm not really compelled by this.  I don't think regular apps have
>>>> admins.
>>>
>>> Well this is a system-wide config in /etc/irssi.conf only an (irc) admin
>>> can set system-wide overrides.
> 
> I'm still not compelled by the idea of an irc admin.

Alright, why not commit what you think is right and drop the rest?

> 
>>>>
>>>>> 3. mozilla also has a mozilla_etc_t and also has access to
>>>>> files_read_etc_files() afaik.
>>>>
>>>> If anything, this just tells me that mozilla is wrong too.
>>>
>>> That may indeed be wrong but i still believe irc_etc_t is the right
>>> thing to do for irc_t.
>>>
>>>>>>>  optional_policy(`
>>>>>>> +	automount_dontaudit_getattr_tmp_dirs(irc_t)
>>>>>>> +')
>>>>>>> +
>>>>>>> +optional_policy(`
>>>>>>>  	nis_use_ypbind(irc_t)
>>>>>>>  ')
>>>>>>> +
>>>>>>> +optional_policy(`
>>>>>>> +	nscd_socket_use(irc_t)
>>>>>>> +')
>>>>>>
>>>>>> These two and the netlink_route socket earlier makes it look like its
>>>>>> going towards auth_use_nsswitch().
>>>>>>
>>>>>
>>>>> Mozilla also has "automount_dontaudit_getattr_tmp_dirs",
>>>>> "nscd_socket_use" and "... self:netlink_route_socket
>>>>> r_netlink_socket_perms;", but does NOT have auth_use_nsswitch().
>>>>
>>>> I mean the nis_use_ypbind(), nscd_socket_use(), and netlink_route_socket
>>>> perms.  Mozilla does not have nis_use_ypbind(), so it doesn't seem to
>>>> need auth_use_nsswitch() yet.  Thats not the case here.
>> [...]
>>> I am not sure here. Like i said before; i do not have a nis nor ldap or
>>> nscd configuration. The netlink socket perms are confirmed to be
>>> required for irssi, and i can also confirm that irssi atleast searches
>>> nscd pid directories. I can only assume it does that to find the
>>> nscd.socket.
>>>
>>> If you are not comfortable with adding auth_use_nsswitch(irc_t), then
>>> please add nscd_dontaudit_search_pid() and remove the nscd_socket_use
>>> and nis_use_ypbind.
>>>
>>> For what it is worth: In my personal branch i decided to just add
>>> auth_use_nsswitch(irc_t).
>>
>> I think you misunderstand.  I think auth_use_nsswitch(irc_t) _should_ be
>> in there.
>>
> 

Alright, i cannot confirm nor deny. Why not commit what you think is right?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100623/0735859b/attachment.bin