From: domg472@gmail.com (Dominick Grift)
Date: Wed, 23 Jun 2010 10:55:32 +0200
Subject: [refpolicy] [ irc patch 1/1] Extend the IRC domain to include
 IRSSI.
In-Reply-To: <1277236148.19832.6.camel@gorn.columbia.tresys.com>
References: <20100622193622.GA26980@localhost.localdomain>
	<1277236148.19832.6.camel@gorn.columbia.tresys.com>
Message-ID: <4C21CC04.1010606@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 06/22/2010 09:49 PM, Christopher J. PeBenito wrote:

Some more arguments:

>> +## <desc>
>> +##	<p>
>> +##	Allow IRC Clients to connect to any TCP port,
>> +##	and to bind TCP sockets to any unreserved port.
>> +##	</p>
>> +## </desc>
>> +gen_tunable(irc_can_network, false)
> 
> A more specific name would be better.  Maybe irc_full_networking or
> something.
> 

irc_full_network sounds consistent. qemu uses a similar boolean
"qemu_full_network"

>>  
>> +type irc_etc_t;
>> +files_config_file(irc_etc_t)
> 
> Why is this necessary?  From what I can tell, irc_t only reads it.
> Irc_t already can read etc_t files, so this seems unnecessary.
> 

Few arguments here:

1. possible sensitive data.
2. irc_admin()
3. mozilla also has a mozilla_etc_t and also has access to
files_read_etc_files() afaik.

>>  optional_policy(`
>> +	automount_dontaudit_getattr_tmp_dirs(irc_t)
>> +')
>> +
>> +optional_policy(`
>>  	nis_use_ypbind(irc_t)
>>  ')
>> +
>> +optional_policy(`
>> +	nscd_socket_use(irc_t)
>> +')
> 
> These two and the netlink_route socket earlier makes it look like its
> going towards auth_use_nsswitch().
> 

Mozilla also has "automount_dontaudit_getattr_tmp_dirs",
"nscd_socket_use" and "... self:netlink_route_socket
r_netlink_socket_perms;", but does NOT have auth_use_nsswitch().

So either mozillas policy is wrong here too or it is unrelated.

Fact remains that irssi searches nscd pid directories, likely looking
for the nscd.socket to connectto.

automount_dontaudit_getattr_tmp_dirs(irc_t) is in my view not specific
to irc clients, but since the irc domain can own temporary objects, my
opinion is that we should support it.

All in all, personally i would only change the boolean name and leave
the rest unchanged.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100623/ee8881b6/attachment.bin