From: mgrepl@redhat.com (Miroslav Grepl)
Date: Fri, 05 Mar 2010 09:05:10 +0100
Subject: [refpolicy] system_daemontools.patch
In-Reply-To: <4B8FDDAC.7010101@redhat.com>
References: <4B845046.8000001@redhat.com>
	<1267719380.11679.41.camel@gorn.columbia.tresys.com>
	<4B8FDDAC.7010101@redhat.com>
Message-ID: <4B90BB36.2020704@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 03/04/2010 05:19 PM, Daniel J Walsh wrote:
> On 03/04/2010 11:16 AM, Christopher J. PeBenito wrote:
>> On Tue, 2010-02-23 at 17:01 -0500, Daniel J Walsh wrote:
>>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/system_daemontools.patch 
>>>
>>>
>>> +    daemonstools_run_start(sysadm_t, sysadm_r)
>>> +    daemontools_search_svc_dir(syslogd_t)
>>> +    daemontools_sigchld_run(ucspitcp_t)
>>>
>>> svc_run needs sys_resource
>>> reads urand
>>>
>>> writes to console
>>>
>>> Other access required.
>> Why is this network access needed:
>>
>> +allow svc_start_t self:tcp_socket create_stream_socket_perms;
>> +corenet_tcp_bind_generic_node(svc_start_t)
>> +corenet_tcp_bind_generic_port(svc_start_t)
>>
>> a quick glance through the code didn't indicate any network access.
>>
> I have no idea.  I did not write this one.  Miroslav or Dominick?
Ok, I am a culprit. We got this as a part of bug and people needed to 
add a local module with these rules to fix policy issues.

Regards,
Miroslav