[refpolicy] new policy pyicqt

Dominick Grift domg472 at gmail.com
Sun Oct 25 09:48:25 CDT 2009


On Sun, Oct 25, 2009 at 12:59:23PM +0100, Stefan Schulze Frielinghaus wrote:
> Hi all,
Hello i have made some comments in-line.
> 
> attached is a new policy for the ICQ transport PyICQt. I lost track of
> head development ... guess the following lines are redundant now
> 
> libs_use_ld_so(pyicqt_t)
> libs_use_shared_libs(pyicqt_t)
> libs_read_lib_files(pyicqt_t)
> 
> and can be changed to
> 
> libs_read_lib_files(pyicqt_t)
> 
> I tested the policy on CentOS 5 for a couple of months with ejabberd so
> hope everything is fine tested ;-)
> 
> cheers
> Stefan

> /etc/pyicq-t(/.*)?			gen_context(system_u:object_r:pyicqt_conf_t,s0)
> 
> /usr/share/pyicq-t/PyICQt\.py	--	gen_context(system_u:object_r:pyicqt_exec_t,s0)
> 
> /var/log/pyicq-t\.log		--	gen_context(system_u:object_r:pyicqt_log_t,s0)
> 
> /var/run/pyicq-t(/.*)?			gen_context(system_u:object_r:pyicqt_var_run_t,s0)
> 
> /var/spool/pyicq-t(/.*)?		gen_context(system_u:object_r:pyicqt_spool_t,s0)

> ## <summary>PyICQt is an ICQ transport for XMPP server.</summary>

> 
> policy_module(pyicqt, 1.0.0)
> 
> ########################################
> #
> # Declarations
> #
> 
> type pyicqt_t;
> type pyicqt_exec_t;
> init_daemon_domain(pyicqt_t,pyicqt_exec_t)
> 
> type pyicqt_conf_t;
> files_config_file(pyicqt_conf_t)
> 
> type pyicqt_spool_t;
> files_type(pyicqt_spool_t)
> 
> type pyicqt_var_run_t;
> files_pid_file(pyicqt_var_run_t)
> 
> type pyicqt_log_t;
> logging_log_file(pyicqt_log_t)
> 
> ########################################
> #
> # PyICQt policy
> #
> 
> allow pyicqt_t self:fifo_file { read write };
allow pyicqt_t self:fifo_files rw_fifo_file_perms;
> allow pyicqt_t self:tcp_socket create_socket_perms;
> allow pyicqt_t self:udp_socket create_socket_perms;
> 
> read_files_pattern(pyicqt_t, pyicqt_conf_t, pyicqt_conf_t)
> 
> manage_dirs_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
> manage_files_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
files_spool_filetrans(pyicqt_t, pyicqt_spool_t, { dir file })
> 
> manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t)
files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file)
> 
> libs_use_ld_so(pyicqt_t)
> libs_use_shared_libs(pyicqt_t)
> libs_read_lib_files(pyicqt_t)

libs ... deprecated upstream

> files_read_usr_files(pyicqt_t)
> files_search_spool(pyicqt_t)

files_search_spool (likely) included with files_spool_filetrans (not sure)
> 
> # /etc/nsswitch.conf
> files_read_etc_files(pyicqt_t)
> # /etc/resolv.conf
> sysnet_read_config(pyicqt_t)
> 
> dev_read_urand(pyicqt_t)
> 
> corecmd_exec_bin(pyicqt_t)
> 
> kernel_read_system_state(pyicqt_t)
> 
> miscfiles_read_localization(pyicqt_t)
> 
> corenet_tcp_connect_generic_port(pyicqt_t)
> corenet_sendrecv_unlabeled_packets(pyicqt_t)

for compatibility:
corenet_all_recvfrom_unlabeled(pyicqt_t)
corenet_all_recvfrom_netlabel(pyicqt_t)
corenet_tcp_sendrecv_generic_if(pyicqt_t)
corenet_tcp_sendrecv_generic_node(pyicqt_t)
corenet_sendrecv_generic_client_packets(pyicqt_t)

Other:
Some style issues: example files_read_etc_files is below files_read_usr_files (not in alphabetical order)
pyicqt.if does not have a description.
You declared pyicqt_var_log_t but nowhere in personal policy pyicqt_t interacts with it.

> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20091025/5b13d2c2/attachment.bin 


More information about the refpolicy mailing list