[refpolicy] [ irc patch 1/1] Extend the IRC domain to include IRSSI.
domg472 at gmail.com
Tue Jun 22 16:14:28 CDT 2010
On 06/22/2010 09:49 PM, Christopher J. PeBenito wrote:
>> +## <desc>
>> +## <p>
>> +## Allow IRC Clients to connect to any TCP port,
>> +## and to bind TCP sockets to any unreserved port.
>> +## </p>
>> +## </desc>
>> +gen_tunable(irc_can_network, false)
> A more specific name would be better. Maybe irc_full_networking or
I had something like that "irc_use_full_network" but i thought you would
like this better becausse of other domain use similar like
"httpd_can_network_connect" etc. Feel free to change it.
>> +type irc_etc_t;
> Why is this necessary? From what I can tell, irc_t only reads it.
> Irc_t already can read etc_t files, so this seems unnecessary.
No particular reason although i am not sure if this file can hold
sensitive information. It might also come in handy for an irc_admin()
although that would be the only thing one would need irc_admin() for.
Feel free to remove it (and its corresponding file context.
>> + automount_dontaudit_getattr_tmp_dirs(irc_t)
>> + nscd_socket_use(irc_t)
> These two and the netlink_route socket earlier makes it look like its
> going towards auth_use_nsswitch().
Both are actually untested. Although the the first is afaik common to
user apps with user home content.
The latter is more a guess because irssi wants to search nscd pid. So i
am assuming that it does that because it supports nscd (if one have nscd
enabled, which i do not)
So feel free to either remove that and add nscd_dontaudit_search_pid()
(or similar) or add the auth_use_nsswitch(irc_t)
Can you apply these changes or do i have to submit a new patch?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100622/ca85ec05/attachment.bin
More information about the refpolicy