From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 08 Mar 2010 08:47:09 -0500
Subject: [refpolicy] system_daemontools.patch
In-Reply-To: <4B90BB36.2020704@redhat.com>
References: <4B845046.8000001@redhat.com>
	<1267719380.11679.41.camel@gorn.columbia.tresys.com>
	<4B8FDDAC.7010101@redhat.com>  <4B90BB36.2020704@redhat.com>
Message-ID: <1268056029.4155.3.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, 2010-03-05 at 09:05 +0100, Miroslav Grepl wrote:
> On 03/04/2010 05:19 PM, Daniel J Walsh wrote:
> > On 03/04/2010 11:16 AM, Christopher J. PeBenito wrote:
> >> On Tue, 2010-02-23 at 17:01 -0500, Daniel J Walsh wrote:
> >>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/system_daemontools.patch 
> >>>
> >>>
> >>> +    daemonstools_run_start(sysadm_t, sysadm_r)
> >>> +    daemontools_search_svc_dir(syslogd_t)
> >>> +    daemontools_sigchld_run(ucspitcp_t)
> >>>
> >>> svc_run needs sys_resource
> >>> reads urand
> >>>
> >>> writes to console
> >>>
> >>> Other access required.
> >> Why is this network access needed:
> >>
> >> +allow svc_start_t self:tcp_socket create_stream_socket_perms;
> >> +corenet_tcp_bind_generic_node(svc_start_t)
> >> +corenet_tcp_bind_generic_port(svc_start_t)
> >>
> >> a quick glance through the code didn't indicate any network access.
> >>
> > I have no idea.  I did not write this one.  Miroslav or Dominick?
> Ok, I am a culprit. We got this as a part of bug and people needed to 
> add a local module with these rules to fix policy issues.

Do you have any info as to why?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150