[refpolicy] [ irc patch 1/1] Extend the IRC domain to include IRSSI.
domg472 at gmail.com
Wed Jun 23 03:55:32 CDT 2010
On 06/22/2010 09:49 PM, Christopher J. PeBenito wrote:
Some more arguments:
>> +## <desc>
>> +## <p>
>> +## Allow IRC Clients to connect to any TCP port,
>> +## and to bind TCP sockets to any unreserved port.
>> +## </p>
>> +## </desc>
>> +gen_tunable(irc_can_network, false)
> A more specific name would be better. Maybe irc_full_networking or
irc_full_network sounds consistent. qemu uses a similar boolean
>> +type irc_etc_t;
> Why is this necessary? From what I can tell, irc_t only reads it.
> Irc_t already can read etc_t files, so this seems unnecessary.
Few arguments here:
1. possible sensitive data.
3. mozilla also has a mozilla_etc_t and also has access to
>> + automount_dontaudit_getattr_tmp_dirs(irc_t)
>> + nscd_socket_use(irc_t)
> These two and the netlink_route socket earlier makes it look like its
> going towards auth_use_nsswitch().
Mozilla also has "automount_dontaudit_getattr_tmp_dirs",
"nscd_socket_use" and "... self:netlink_route_socket
r_netlink_socket_perms;", but does NOT have auth_use_nsswitch().
So either mozillas policy is wrong here too or it is unrelated.
Fact remains that irssi searches nscd pid directories, likely looking
for the nscd.socket to connectto.
automount_dontaudit_getattr_tmp_dirs(irc_t) is in my view not specific
to irc clients, but since the irc domain can own temporary objects, my
opinion is that we should support it.
All in all, personally i would only change the boolean name and leave
the rest unchanged.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100623/ee8881b6/attachment.bin
More information about the refpolicy