From: dpquigl@tycho.nsa.gov (David P. Quigley) Date: Mon, 18 Aug 2008 11:31:54 -0400 Subject: [refpolicy] SeLinux policy for git-daemon In-Reply-To: <1219073827.15402.15.camel@desktop.local.neuhalfen.name> References: <1219072370.15402.6.camel@desktop.local.neuhalfen.name> <1219072116.2609.90.camel@moss-terrapins.epoch.ncsc.mil> <1219073827.15402.15.camel@desktop.local.neuhalfen.name> Message-ID: <1219073514.2609.98.camel@moss-terrapins.epoch.ncsc.mil> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 2008-08-18 at 17:37 +0200, Jens Neuhalfen wrote: > Hi, > > > Hi Dave, thank you for providing that. > > > For everyone's convenience I already have the repo checked out and have > > attached his three policy template files. I think they have tpl at the > > end because the build system is supposed to substitute something in but > > it only seems to be the case with respect to the fc file. > > > > Dave is absolutely right, the tpl extension means "template" and is used > by the build system. > > There are some points, where I need some help/ideas/.. > - I guess the interface can be significantly slimmed down. > - Can/should I use Interface methods form the te file? From a > sw-engeneering standpoint I would use "subroutine" macros in the > te-file > > > Please do not hesitate to "style-correct" me, as I want to write good > gode (not just barely working code) > > Jens > > > > > > Dave > > I'm sure Chris and Dan will have better comments than I do but initially there are a couple of things that I see. The first is you might want to shorten git-daemon to gitd and replace git_daemon with gitd as well in interface names. Also since you will probably want this merged into reference policy you will want to make sure all of the comments are in English. I see a couple of comments in German through the .te file. I am not a policy guru so I can't speak to the usage of interfaces and patterns so I will leave that to Dan and Chris. One question though is how did you derive this policy. Did you use the run gitd then run the logs through audit2allow approach? Dave