From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 9 Jan 2012 22:46:04 +0100
Subject: [refpolicy] Contribute ctdbd policy from Fedora to Refpolicy
In-Reply-To: <4F0B5A9E.10308@redhat.com>
References: <4F072F46.9090709@redhat.com> <20120109210834.GG3416@siphos.be>
	<4F0B5A9E.10308@redhat.com>
Message-ID: <20120109214603.GK3416@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, Jan 09, 2012 at 04:22:38PM -0500, Daniel J Walsh wrote:
> > Same here like with boinc, is there a possibility to have some
> > segregation between the "regular" ctdbd_var_lib_t and the files
> > ctdbd_t wants to execute?
> 
> Maybe if these have a constant name, but we have to ask Miroslav.
> Maybe we could use file_name_trans rules, but I still think we end up
> with a type that has to be written and executed by the same domain.

It's a bit odd that it's the "generic" _var_lib_t domain for this purpose.
It gives users a different impression (I don't imagine that any *_var_lib_t
is executed by its "parent" domain).

$ sesearch -c file -p write -A | grep execute | grep var_lib
 allow xserver_t xkb_var_lib_t : file { write ... execute execute_no_trans } ; 

That's the only one on my system where a domain has both write and execute
rights to a _var_lib_t type. When I'm aware of a domain writing and executing
files (because its "flexible" that way) I always hope that this results in a
separate domain (like with boic) or that it isn't for a wide type.

Of course, there are plenty of examples out there where this doesn't hold up
(like logrotate_t having write/execute rights for logrotate_tmp_t) so I'm
not /against/ these policies (boinc and ctdbd), just careful.

Wkr,
	Sven Vermeulen