From: domg472@gmail.com (Dominick Grift) Date: Fri, 29 Apr 2011 13:20:13 +0200 Subject: [refpolicy] [PATCH] policy module for atop In-Reply-To: References: <1303999436-1548852-1-git-send-email-andronicus.spiros@gmail.com> <4DB97ECE.2090802@gmail.com> Message-ID: <4DBA9EED.5060404@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/29/2011 01:04 PM, Elia Pinto wrote: >> I have had the same idea, in reality, the daemon is a script that >> calls atop. I did not know what was the most elegant solution and I >> wanted to avoid the proliferation of types. But if i separate them for >> atop - versus atopd - should use the interface init_daemon_domain >> init_system_domain or application_domain? i would probably consider leaving "/usr/bin/atop" type bin_t and allow atopd to run bin_t files (corecmd_exec_bin()). Not sure how that would pan out in practice though. >> The interface file was generated from sepolgen. Look also to >> icecast.if in ref policy for example. Not a answer to your question >> however. I will look better for this. Perhaps an bug in sepolgen ? Policy generators are not smart enough (at all). It is a bug in sepolgen, but not one that is easily fixed. You can just remove the atop_domtrans interface altogether since no one calls it anyways. >> Again this is what sepolgen generate : do you want to propose a patch :=) ? Naw this just a personal nit. I bet refpolicy maintainer will not mind. >> Always sepolgen generated . The possible patch starts to get long ....:=) Naw just take note and leave it as is. I bet policy maintainer will not mind. >> No one can use there if these interfaces are not defined yet: insn't ? >> Again generated by default from sepolgen True but if you think like that, then you can create 1000's of interfaces, because hey, who knows, someone some day might need one of them ;) So remove any unused interfaces. If someone needs to interact with your atopd domain then they will add the required interfaces. >> Ok, for this. For the rest , the interface atopd_admin (and all the >> interfaces) was generated >> from sepolgen ok looks like a bug in sepolgen. >> Ok These are just small personal comments, no big deal. I bet the policy maintainer will not mind. >> In this case atop . But i think it is sensible to split the domain now Maybe just label /usr/bin/atop bin_t and allow allow /usr/bin/atopd corecmd_exec_bin() >> Yes, it is. So if you label /usr/bin/atop bin_t then you probably be able to remove this? > I gather this is not optional? >> I will Look better See if atop(d) depends on acct. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk26nu0ACgkQMlxVo39jgT8CTACfez/+HmICKah5sNr5zsko2jZ4 7UwAoJf6+bSUtUtlyGr5Vpo/ndoM3ret =0mzK -----END PGP SIGNATURE-----