From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 02 May 2011 13:46:20 -0400
Subject: [refpolicy] [PATCH] policy module for atop
In-Reply-To: <4DB97ECE.2090802@gmail.com>
References: <1303999436-1548852-1-git-send-email-andronicus.spiros@gmail.com>
	<4DB97ECE.2090802@gmail.com>
Message-ID: <4DBEEDEC.2090304@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 04/28/11 10:50, Dominick Grift wrote:
> On 04/28/2011 04:03 PM, Elia Pinto wrote:
> 
>> +/usr/bin/atopd                  --      gen_context(system_u:object_r:atopd_exec_t,s0)
>> +/usr/bin/atop                   --      gen_context(system_u:object_r:atopd_exec_t,s0)
> 
> Might want to consider running the daemon and client in seperate domains.

Dominick has given a good review.  The above is my biggest concern with
the module.  However, my guess would be that the client is probably best
left without a domain transition (i.e. run atop in the user's domain),
but there doesn't seem to be any added rules for client, so I'm not sure.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com