From: domg472@gmail.com (Dominick Grift)
Date: Sun, 25 Oct 2009 17:30:45 +0100
Subject: [refpolicy] new policy pyicqt
In-Reply-To: <1256483358.2407.34.camel@localhost>
References: <1256471963.2407.7.camel@localhost>
	<20091025144822.GA2698@notebook1.grift.internal>
	<1256483358.2407.34.camel@localhost>
Message-ID: <1256488245.16257.5.camel@localhost>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sun, 2009-10-25 at 16:09 +0100, Stefan Schulze Frielinghaus wrote:
> On Sun, 2009-10-25 at 15:48 +0100, Dominick Grift wrote:
> [...] 
> > allow pyicqt_t self:fifo_files rw_fifo_file_perms;
> 
> I only included read/write perms because the app didn't complain on all
> the other permissions which rw_fifo_file_perms will include. But if it
> is common to use the set of permissions I will change this.

> [...] 
> > files_spool_filetrans(pyicqt_t, pyicqt_spool_t, { dir file })
> 
> Why should we introduce this rule? PyICQt only writes into a directory
> labeled as pyicqt_spool_t and therefore all new files will inherit the
> type.

So are you saying that /var/spool/pyicq-t gets installed by the package?
> 
> [...] 
> > files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file)
> 
> Same again here. Why? PyICQt writes to /var/run/pyicq-t which is labeled
> as pyicqt_var_run_t and therefore all new files will inherit this type.

So /var/run/pyicq-t gets installed by the package?

> 
> [...] 
> > libs ... deprecated upstream
> 
> And what interface do we use instead? I guess I need to include a rule
> to read lib_t files, right?
> 
> [...] 
> > > corenet_tcp_connect_generic_port(pyicqt_t)
> > > corenet_sendrecv_unlabeled_packets(pyicqt_t)
> > 
> > for compatibility:
> > corenet_all_recvfrom_unlabeled(pyicqt_t)
> > corenet_all_recvfrom_netlabel(pyicqt_t)
> > corenet_tcp_sendrecv_generic_if(pyicqt_t)
> > corenet_tcp_sendrecv_generic_node(pyicqt_t)
> > corenet_sendrecv_generic_client_packets(pyicqt_t)
> 
> Yep. Will include those. I only included the two interfaces above
> because PyICQt didn't complain for other rules. But if they are
> mandatory for compatibility I will include them.
> 
> > Other:
> > Some style issues: example files_read_etc_files is below files_read_usr_files (not in alphabetical order)
> 
> Is alphabetic order important? I can change this no problem. But my
> actual intention was to group the two interface calls
> for /etc/{nsswitch.conf,resolv.conf}.

See http://oss.tresys.com/projects/refpolicy/wiki/StyleGuide
> 
> > pyicqt.if does not have a description.
> 
> Yep. But isn't a summary line sufficient?
> 
> > You declared pyicqt_var_log_t but nowhere in personal policy pyicqt_t interacts with it.
> 
> Uh good point. I will fix that after the other points above are cleared.
>