From: domg472@gmail.com (Dominick Grift)
Date: Tue, 22 Jun 2010 23:14:28 +0200
Subject: [refpolicy] [ irc patch 1/1] Extend the IRC domain to include
 IRSSI.
In-Reply-To: <1277236148.19832.6.camel@gorn.columbia.tresys.com>
References: <20100622193622.GA26980@localhost.localdomain>
	<1277236148.19832.6.camel@gorn.columbia.tresys.com>
Message-ID: <4C2127B4.3080909@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 06/22/2010 09:49 PM, Christopher J. PeBenito wrote:

>> +## <desc>
>> +##	<p>
>> +##	Allow IRC Clients to connect to any TCP port,
>> +##	and to bind TCP sockets to any unreserved port.
>> +##	</p>
>> +## </desc>
>> +gen_tunable(irc_can_network, false)
> 
> A more specific name would be better.  Maybe irc_full_networking or
> something.

I had something like that "irc_use_full_network" but i thought you would
like this better becausse of other domain use similar like
"httpd_can_network_connect" etc. Feel free to change it.

>> +type irc_etc_t;
>> +files_config_file(irc_etc_t)
> 
> Why is this necessary?  From what I can tell, irc_t only reads it.
> Irc_t already can read etc_t files, so this seems unnecessary.

No particular reason although i am not sure if this file can hold
sensitive information. It might also come in handy for an irc_admin()
although that would be the only thing one would need irc_admin() for.

Feel free to remove it (and its corresponding file context.

>>  optional_policy(`
>> +	automount_dontaudit_getattr_tmp_dirs(irc_t)
>> +')
>> +
>> +optional_policy(`
>>  	nis_use_ypbind(irc_t)
>>  ')
>> +
>> +optional_policy(`
>> +	nscd_socket_use(irc_t)
>> +')
> 
> These two and the netlink_route socket earlier makes it look like its
> going towards auth_use_nsswitch().

Both are actually untested. Although the the first is afaik common to
user apps with user home content.

The latter is more a guess because irssi wants to search nscd pid. So i
am assuming that it does that because it supports nscd (if one have nscd
enabled, which i do not)

So feel free to either remove that and add nscd_dontaudit_search_pid()
(or similar) or add the auth_use_nsswitch(irc_t)

Can you apply these changes or do i have to submit a new patch?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100622/ca85ec05/attachment.bin