-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/29/2011 01:04 PM, Elia Pinto wrote:
>> I have had the same idea, in reality, the daemon is a script that
>> calls atop. I did not know what was the most elegant solution and I
>> wanted to avoid the proliferation of types. But if i separate them for
>> atop - versus atopd - should use the interface init_daemon_domain
>> init_system_domain or application_domain?
i would probably consider leaving "/usr/bin/atop" type bin_t and allow
atopd to run bin_t files (corecmd_exec_bin()). Not sure how that would
pan out in practice though.
>> The interface file was generated from sepolgen. Look also to
>> icecast.if in ref policy for example. Not a answer to your question
>> however. I will look better for this. Perhaps an bug in sepolgen ?
Policy generators are not smart enough (at all).
It is a bug in sepolgen, but not one that is easily fixed.
You can just remove the atop_domtrans interface altogether since no one
calls it anyways.
>> Again this is what sepolgen generate : do you want to propose a patch :=) ?
Naw this just a personal nit. I bet refpolicy maintainer will not mind.
>> Always sepolgen generated . The possible patch starts to get long ....:=)
Naw just take note and leave it as is. I bet policy maintainer will not
mind.
>> No one can use there if these interfaces are not defined yet: insn't ?
>> Again generated by default from sepolgen
True but if you think like that, then you can create 1000's of
interfaces, because hey, who knows, someone some day might need one of
them ;)
So remove any unused interfaces. If someone needs to interact with your
atopd domain then they will add the required interfaces.
>> Ok, for this. For the rest , the interface atopd_admin (and all the
>> interfaces) was generated
>> from sepolgen
ok looks like a bug in sepolgen.
>> Ok
These are just small personal comments, no big deal. I bet the policy
maintainer will not mind.
>> In this case atop . But i think it is sensible to split the domain now
Maybe just label /usr/bin/atop bin_t and allow allow /usr/bin/atopd
corecmd_exec_bin()
>> Yes, it is.
So if you label /usr/bin/atop bin_t then you probably be able to remove
this?
> I gather this is not optional?
>> I will Look better
See if atop(d) depends on acct.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk26nu0ACgkQMlxVo39jgT8CTACfez/+HmICKah5sNr5zsko2jZ4
7UwAoJf6+bSUtUtlyGr5Vpo/ndoM3ret
=0mzK
-----END PGP SIGNATURE-----