From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 23 Jun 2010 09:50:33 -0400 Subject: [refpolicy] [ irc patch 1/1] Extend the IRC domain to include IRSSI. In-Reply-To: <1277300946.2875.5.camel@gorn.columbia.tresys.com> References: <20100622193622.GA26980@localhost.localdomain> <1277236148.19832.6.camel@gorn.columbia.tresys.com> <4C21CC04.1010606@gmail.com> <1277295332.19832.12.camel@gorn.columbia.tresys.com> <4C21FDD5.7000504@gmail.com> <1277300946.2875.5.camel@gorn.columbia.tresys.com> Message-ID: <1277301033.2875.6.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2010-06-23 at 09:49 -0400, Christopher J. PeBenito wrote: > On Wed, 2010-06-23 at 14:28 +0200, Dominick Grift wrote: > > On 06/23/2010 02:15 PM, Christopher J. PeBenito wrote: > > > > >>>> > > >>>> +type irc_etc_t; > > >>>> +files_config_file(irc_etc_t) > > >>> > > >>> Why is this necessary? From what I can tell, irc_t only reads it. > > >>> Irc_t already can read etc_t files, so this seems unnecessary. > > >>> > > >> > > >> Few arguments here: > > >> > > >> 1. possible sensitive data. > > > > > > Such as? > > > > > > > For example: "proxy_password = "";" > > Perhaps. Though I suspect its actually not that sensitive, and its > probably easy to get through the app itself. > > > >> 2. irc_admin() > > > > > > I'm not really compelled by this. I don't think regular apps have > > > admins. > > > > Well this is a system-wide config in /etc/irssi.conf only an (irc) admin > > can set system-wide overrides. I'm still not compelled by the idea of an irc admin. > > > > > >> 3. mozilla also has a mozilla_etc_t and also has access to > > >> files_read_etc_files() afaik. > > > > > > If anything, this just tells me that mozilla is wrong too. > > > > That may indeed be wrong but i still believe irc_etc_t is the right > > thing to do for irc_t. > > > > >>>> optional_policy(` > > >>>> + automount_dontaudit_getattr_tmp_dirs(irc_t) > > >>>> +') > > >>>> + > > >>>> +optional_policy(` > > >>>> nis_use_ypbind(irc_t) > > >>>> ') > > >>>> + > > >>>> +optional_policy(` > > >>>> + nscd_socket_use(irc_t) > > >>>> +') > > >>> > > >>> These two and the netlink_route socket earlier makes it look like its > > >>> going towards auth_use_nsswitch(). > > >>> > > >> > > >> Mozilla also has "automount_dontaudit_getattr_tmp_dirs", > > >> "nscd_socket_use" and "... self:netlink_route_socket > > >> r_netlink_socket_perms;", but does NOT have auth_use_nsswitch(). > > > > > > I mean the nis_use_ypbind(), nscd_socket_use(), and netlink_route_socket > > > perms. Mozilla does not have nis_use_ypbind(), so it doesn't seem to > > > need auth_use_nsswitch() yet. Thats not the case here. > [...] > > I am not sure here. Like i said before; i do not have a nis nor ldap or > > nscd configuration. The netlink socket perms are confirmed to be > > required for irssi, and i can also confirm that irssi atleast searches > > nscd pid directories. I can only assume it does that to find the > > nscd.socket. > > > > If you are not comfortable with adding auth_use_nsswitch(irc_t), then > > please add nscd_dontaudit_search_pid() and remove the nscd_socket_use > > and nis_use_ypbind. > > > > For what it is worth: In my personal branch i decided to just add > > auth_use_nsswitch(irc_t). > > I think you misunderstand. I think auth_use_nsswitch(irc_t) _should_ be > in there. > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com