From: dwalsh@redhat.com (Daniel J Walsh)
Date: Thu, 04 Mar 2010 11:19:56 -0500
Subject: [refpolicy] system_daemontools.patch
In-Reply-To: <1267719380.11679.41.camel@gorn.columbia.tresys.com>
References: <4B845046.8000001@redhat.com>
	<1267719380.11679.41.camel@gorn.columbia.tresys.com>
Message-ID: <4B8FDDAC.7010101@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 03/04/2010 11:16 AM, Christopher J. PeBenito wrote:
> On Tue, 2010-02-23 at 17:01 -0500, Daniel J Walsh wrote:
>    
>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/system_daemontools.patch
>>
>> +    daemonstools_run_start(sysadm_t, sysadm_r)
>> +    daemontools_search_svc_dir(syslogd_t)
>> +    daemontools_sigchld_run(ucspitcp_t)
>>
>> svc_run needs sys_resource
>> reads urand
>>
>> writes to console
>>
>> Other access required.
>>      
> Why is this network access needed:
>
> +allow svc_start_t self:tcp_socket create_stream_socket_perms;
> +corenet_tcp_bind_generic_node(svc_start_t)
> +corenet_tcp_bind_generic_port(svc_start_t)
>
> a quick glance through the code didn't indicate any network access.
>
>    
I have no idea.  I did not write this one.  Miroslav or Dominick?