From: dwalsh@redhat.com (Daniel J Walsh)
Date: Mon, 16 Nov 2009 13:32:45 -0500
Subject: [refpolicy] services_nut.patch
In-Reply-To: <1258381900.5120.16.camel@localhost>
References: <4AFC823D.3090202@redhat.com> <1258381900.5120.16.camel@localhost>
Message-ID: <4B019ACD.4010406@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 11/16/2009 09:31 AM, Stefan Schulze Frielinghaus wrote:
> On Thu, 2009-11-12 at 16:46 -0500, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_nut.patch
>>
>> nut policy.
> 
> Some time ago I wrote a policy for NUT too (s. attachment). I guess you
> tested your policy with a UPS connected via USB. Maybe we could merge
> both policies because I tested my with the SNMP module of NUT.
> 
> One note about your policy. Shouldn't we prefix all domains with "nut_"?
> This would indicate that e.g. each executable comes from the NUT
> project. Then we could also define one type for /var/run/nut (in my
> policy it is just nut_var_run_t) because the three main domains
> nut_upsd_t, nut_upsdrvctl_t and nut_upsmon_t write to the same location,
> share e.g. a socket file.
> 
> I would also like to introduce a type for config files because clear
> text passwords are saved in there.
> 
> Your domain upsmon_t needs also to write to all terms because it
> announces information via "wall". It also seems to miss the following
> permissions which are needed if upsmon_t should execute /sbin/shutdown
> (we still do not have a shutdown policy):
> 
> files_rw_generic_pids(nut_upsmon_t)
> init_exec(nut_upsmon_t)
> init_rw_initctl(nut_upsmon_t)
> init_write_utmp(nut_upsmon_t)
> 
> What are your thoughts?
> It tested my policy on CentOS 5.3 with a couple of dozen
> restarts/shutdowns. Debugging restarts/shutdowns is hell ;-)
> 
> cheers,
> Stefan

Actually I believe Miroslav wrote this policy so I will forward this to hem and you and he can work on consolidating the policies.

I agree with your points and your naming is fine.