From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 04 Mar 2010 11:16:20 -0500
Subject: [refpolicy] system_daemontools.patch
In-Reply-To: <4B845046.8000001@redhat.com>
References: <4B845046.8000001@redhat.com>
Message-ID: <1267719380.11679.41.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, 2010-02-23 at 17:01 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F13/system_daemontools.patch
> 
> +    daemonstools_run_start(sysadm_t, sysadm_r)
> +    daemontools_search_svc_dir(syslogd_t)
> +    daemontools_sigchld_run(ucspitcp_t)
> 
> svc_run needs sys_resource
> reads urand
> 
> writes to console
> 
> Other access required.

Why is this network access needed:

+allow svc_start_t self:tcp_socket create_stream_socket_perms;
+corenet_tcp_bind_generic_node(svc_start_t)
+corenet_tcp_bind_generic_port(svc_start_t)

a quick glance through the code didn't indicate any network access.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150