[refpolicy] [ irc patch 1/1] Extend the IRC domain to include IRSSI.
Dominick Grift
domg472 at gmail.com
Wed Jun 23 07:35:20 CDT 2010
On 06/23/2010 02:15 PM, Christopher J. PeBenito wrote:
>>>> optional_policy(`
>>>> + automount_dontaudit_getattr_tmp_dirs(irc_t)
>>>> +')
>>>> +
>>>> +optional_policy(`
>>>> nis_use_ypbind(irc_t)
>>>> ')
>>>> +
>>>> +optional_policy(`
>>>> + nscd_socket_use(irc_t)
>>>> +')
>>>
>>> These two and the netlink_route socket earlier makes it look like its
>>> going towards auth_use_nsswitch().
>>>
>>
>> Mozilla also has "automount_dontaudit_getattr_tmp_dirs",
>> "nscd_socket_use" and "... self:netlink_route_socket
>> r_netlink_socket_perms;", but does NOT have auth_use_nsswitch().
>
> I mean the nis_use_ypbind(), nscd_socket_use(), and netlink_route_socket
> perms. Mozilla does not have nis_use_ypbind(), so it doesn't seem to
> need auth_use_nsswitch() yet. Thats not the case here.
>
>> So either mozillas policy is wrong here too or it is unrelated.
>>
>> Fact remains that irssi searches nscd pid directories, likely looking
>> for the nscd.socket to connectto.
>>
>> automount_dontaudit_getattr_tmp_dirs(irc_t) is in my view not specific
>> to irc clients, but since the irc domain can own temporary objects, my
>> opinion is that we should support it.
>>
>> All in all, personally i would only change the boolean name and leave
>> the rest unchanged.
>>
>
Also note that nis_use_ypbind(irc_t) was already there for irc_t. But
nonetheless my irssi policy also has it. The underlying idea for me was
to support nis. (which i cannot confirm that it actually works)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100623/e8121b0a/attachment.bin
More information about the refpolicy
mailing list