From: dominick.grift@gmail.com (Dominick Grift) Date: Tue, 07 Aug 2012 19:43:24 +0200 Subject: [refpolicy] [PATCH v4]: mcelog module initial rewrite In-Reply-To: <50215188.7040900@trentalancia.com> References: <201208061519.q76FJcDp011962@vivaldi31.register.it> <1344267046.29329.57.camel@d30.localdomain> <50201053.9000506@trentalancia.com> <1344282251.29329.73.camel@d30.localdomain> <50215188.7040900@trentalancia.com> Message-ID: <1344361404.2306.5.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com > > It's needed for the (untested) client mode. > > There is a boolean for that (and for the server mode, as one might want > to write another client for example). > Its already allowed... I will explain it one more time: allow mcelog_t self:unix_stream_socket create_stream_socket_perms; manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) is what allows this already. Its already there and therefore the stream_connect_pattern() is reduntant. > >> -miscfiles_read_localization(mcelog_t) > >> +term_dontaudit_use_all_ptys(mcelog_t) > >> +term_dontaudit_use_all_ttys(mcelog_t) > > > > not needed. use: userdom_use_user_terminals(mcelog_t) > > It works and it appears to be widely used. > > However I am not entirely clear to me what would happen if the > userdomain module is explicitly turned off and whether it will keep > working in single-user mode... > No need to worry about that. The userdomain module is not optional. > >> +tunable_policy(`mcelog_foreground',` > >> +term_use_all_ttys(mcelog_t) > >> +term_use_all_ptys(mcelog_t) > >> +') > > > > Not needed. > > See above. Although the policy improved i still have issues with various parts of your policy. However i won't review it anymore because i have made my points already in previous reviews. No need for repeating myself.