From: stefan@seekline.net (Stefan Schulze Frielinghaus) Date: Sun, 25 Oct 2009 16:09:18 +0100 Subject: [refpolicy] new policy pyicqt In-Reply-To: <20091025144822.GA2698@notebook1.grift.internal> References: <1256471963.2407.7.camel@localhost> <20091025144822.GA2698@notebook1.grift.internal> Message-ID: <1256483358.2407.34.camel@localhost> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, 2009-10-25 at 15:48 +0100, Dominick Grift wrote: [...] > allow pyicqt_t self:fifo_files rw_fifo_file_perms; I only included read/write perms because the app didn't complain on all the other permissions which rw_fifo_file_perms will include. But if it is common to use the set of permissions I will change this. [...] > files_spool_filetrans(pyicqt_t, pyicqt_spool_t, { dir file }) Why should we introduce this rule? PyICQt only writes into a directory labeled as pyicqt_spool_t and therefore all new files will inherit the type. [...] > files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file) Same again here. Why? PyICQt writes to /var/run/pyicq-t which is labeled as pyicqt_var_run_t and therefore all new files will inherit this type. [...] > libs ... deprecated upstream And what interface do we use instead? I guess I need to include a rule to read lib_t files, right? [...] > > corenet_tcp_connect_generic_port(pyicqt_t) > > corenet_sendrecv_unlabeled_packets(pyicqt_t) > > for compatibility: > corenet_all_recvfrom_unlabeled(pyicqt_t) > corenet_all_recvfrom_netlabel(pyicqt_t) > corenet_tcp_sendrecv_generic_if(pyicqt_t) > corenet_tcp_sendrecv_generic_node(pyicqt_t) > corenet_sendrecv_generic_client_packets(pyicqt_t) Yep. Will include those. I only included the two interfaces above because PyICQt didn't complain for other rules. But if they are mandatory for compatibility I will include them. > Other: > Some style issues: example files_read_etc_files is below files_read_usr_files (not in alphabetical order) Is alphabetic order important? I can change this no problem. But my actual intention was to group the two interface calls for /etc/{nsswitch.conf,resolv.conf}. > pyicqt.if does not have a description. Yep. But isn't a summary line sufficient? > You declared pyicqt_var_log_t but nowhere in personal policy pyicqt_t interacts with it. Uh good point. I will fix that after the other points above are cleared.