From: stefan@seekline.net (Stefan Schulze Frielinghaus) Date: Sun, 25 Oct 2009 22:14:36 +0100 Subject: [refpolicy] new policy pyicqt In-Reply-To: <1256488245.16257.5.camel@localhost> References: <1256471963.2407.7.camel@localhost> <20091025144822.GA2698@notebook1.grift.internal> <1256483358.2407.34.camel@localhost> <1256488245.16257.5.camel@localhost> Message-ID: <1256505276.2407.48.camel@localhost> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, 2009-10-25 at 17:30 +0100, Dominick Grift wrote: > On Sun, 2009-10-25 at 16:09 +0100, Stefan Schulze Frielinghaus wrote: > > On Sun, 2009-10-25 at 15:48 +0100, Dominick Grift wrote: > > [...] > > > allow pyicqt_t self:fifo_files rw_fifo_file_perms; > > > > I only included read/write perms because the app didn't complain on all > > the other permissions which rw_fifo_file_perms will include. But if it > > is common to use the set of permissions I will change this. > > > [...] > > > files_spool_filetrans(pyicqt_t, pyicqt_spool_t, { dir file }) > > > > Why should we introduce this rule? PyICQt only writes into a directory > > labeled as pyicqt_spool_t and therefore all new files will inherit the > > type. > > So are you saying that /var/spool/pyicq-t gets installed by the package? PyICQt is installed by default on Fedora to run as non root user. So, yes, /var/{run,spool}/pyicq-t is installed by the RPM package. But I think I know what you mean. What happens if another distro runs PyICQt as root and uses /var/run as the base pidfile directory. I will include this rule to make sure that other distributions won't run into trouble. [...] > > > files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file) > > > > Same again here. Why? PyICQt writes to /var/run/pyicq-t which is labeled > > as pyicqt_var_run_t and therefore all new files will inherit this type. > > So /var/run/pyicq-t gets installed by the package? Same as above. [...] > See http://oss.tresys.com/projects/refpolicy/wiki/StyleGuide Hey, cool, wasn't aware of such a style guide. Thanks for the link and the policy review. I will work on the suggestions and submit a new policy.