From: domg472@gmail.com (Dominick Grift) Date: Wed, 23 Jun 2010 14:28:05 +0200 Subject: [refpolicy] [ irc patch 1/1] Extend the IRC domain to include IRSSI. In-Reply-To: <1277295332.19832.12.camel@gorn.columbia.tresys.com> References: <20100622193622.GA26980@localhost.localdomain> <1277236148.19832.6.camel@gorn.columbia.tresys.com> <4C21CC04.1010606@gmail.com> <1277295332.19832.12.camel@gorn.columbia.tresys.com> Message-ID: <4C21FDD5.7000504@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 06/23/2010 02:15 PM, Christopher J. PeBenito wrote: >>>> >>>> +type irc_etc_t; >>>> +files_config_file(irc_etc_t) >>> >>> Why is this necessary? From what I can tell, irc_t only reads it. >>> Irc_t already can read etc_t files, so this seems unnecessary. >>> >> >> Few arguments here: >> >> 1. possible sensitive data. > > Such as? > For example: "proxy_password = "";" >> 2. irc_admin() > > I'm not really compelled by this. I don't think regular apps have > admins. Well this is a system-wide config in /etc/irssi.conf only an (irc) admin can set system-wide overrides. > >> 3. mozilla also has a mozilla_etc_t and also has access to >> files_read_etc_files() afaik. > > If anything, this just tells me that mozilla is wrong too. That may indeed be wrong but i still believe irc_etc_t is the right thing to do for irc_t. >>>> optional_policy(` >>>> + automount_dontaudit_getattr_tmp_dirs(irc_t) >>>> +') >>>> + >>>> +optional_policy(` >>>> nis_use_ypbind(irc_t) >>>> ') >>>> + >>>> +optional_policy(` >>>> + nscd_socket_use(irc_t) >>>> +') >>> >>> These two and the netlink_route socket earlier makes it look like its >>> going towards auth_use_nsswitch(). >>> >> >> Mozilla also has "automount_dontaudit_getattr_tmp_dirs", >> "nscd_socket_use" and "... self:netlink_route_socket >> r_netlink_socket_perms;", but does NOT have auth_use_nsswitch(). > > I mean the nis_use_ypbind(), nscd_socket_use(), and netlink_route_socket > perms. Mozilla does not have nis_use_ypbind(), so it doesn't seem to > need auth_use_nsswitch() yet. Thats not the case here. > >> So either mozillas policy is wrong here too or it is unrelated. >> >> Fact remains that irssi searches nscd pid directories, likely looking >> for the nscd.socket to connectto. >> >> automount_dontaudit_getattr_tmp_dirs(irc_t) is in my view not specific >> to irc clients, but since the irc domain can own temporary objects, my >> opinion is that we should support it. >> >> All in all, personally i would only change the boolean name and leave >> the rest unchanged. >> > I am not sure here. Like i said before; i do not have a nis nor ldap or nscd configuration. The netlink socket perms are confirmed to be required for irssi, and i can also confirm that irssi atleast searches nscd pid directories. I can only assume it does that to find the nscd.socket. If you are not comfortable with adding auth_use_nsswitch(irc_t), then please add nscd_dontaudit_search_pid() and remove the nscd_socket_use and nis_use_ypbind. For what it is worth: In my personal branch i decided to just add auth_use_nsswitch(irc_t). -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100623/83f9d736/attachment.bin