From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 23 Jun 2010 08:15:32 -0400
Subject: [refpolicy] [ irc patch 1/1] Extend the IRC domain to include
 IRSSI.
In-Reply-To: <4C21CC04.1010606@gmail.com>
References: <20100622193622.GA26980@localhost.localdomain>
	<1277236148.19832.6.camel@gorn.columbia.tresys.com>
	<4C21CC04.1010606@gmail.com>
Message-ID: <1277295332.19832.12.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 2010-06-23 at 10:55 +0200, Dominick Grift wrote:
> On 06/22/2010 09:49 PM, Christopher J. PeBenito wrote:
> 
> Some more arguments:
> 
> >> +## <desc>
> >> +##	<p>
> >> +##	Allow IRC Clients to connect to any TCP port,
> >> +##	and to bind TCP sockets to any unreserved port.
> >> +##	</p>
> >> +## </desc>
> >> +gen_tunable(irc_can_network, false)
> > 
> > A more specific name would be better.  Maybe irc_full_networking or
> > something.
> > 
> 
> irc_full_network sounds consistent. qemu uses a similar boolean
> "qemu_full_network"

Thats fine.

> >>  
> >> +type irc_etc_t;
> >> +files_config_file(irc_etc_t)
> > 
> > Why is this necessary?  From what I can tell, irc_t only reads it.
> > Irc_t already can read etc_t files, so this seems unnecessary.
> > 
> 
> Few arguments here:
> 
> 1. possible sensitive data.

Such as?

> 2. irc_admin()

I'm not really compelled by this.  I don't think regular apps have
admins.

> 3. mozilla also has a mozilla_etc_t and also has access to
> files_read_etc_files() afaik.

If anything, this just tells me that mozilla is wrong too.

> >>  optional_policy(`
> >> +	automount_dontaudit_getattr_tmp_dirs(irc_t)
> >> +')
> >> +
> >> +optional_policy(`
> >>  	nis_use_ypbind(irc_t)
> >>  ')
> >> +
> >> +optional_policy(`
> >> +	nscd_socket_use(irc_t)
> >> +')
> > 
> > These two and the netlink_route socket earlier makes it look like its
> > going towards auth_use_nsswitch().
> > 
> 
> Mozilla also has "automount_dontaudit_getattr_tmp_dirs",
> "nscd_socket_use" and "... self:netlink_route_socket
> r_netlink_socket_perms;", but does NOT have auth_use_nsswitch().

I mean the nis_use_ypbind(), nscd_socket_use(), and netlink_route_socket
perms.  Mozilla does not have nis_use_ypbind(), so it doesn't seem to
need auth_use_nsswitch() yet.  Thats not the case here.

> So either mozillas policy is wrong here too or it is unrelated.
> 
> Fact remains that irssi searches nscd pid directories, likely looking
> for the nscd.socket to connectto.
> 
> automount_dontaudit_getattr_tmp_dirs(irc_t) is in my view not specific
> to irc clients, but since the irc domain can own temporary objects, my
> opinion is that we should support it.
> 
> All in all, personally i would only change the boolean name and leave
> the rest unchanged.
> 

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com