From: guido@trentalancia.com (Guido Trentalancia)
Date: Tue, 07 Aug 2012 21:35:27 +0200
Subject: [refpolicy] [PATCH v4]: mcelog module initial rewrite
In-Reply-To: <1344361404.2306.5.camel@d30.localdomain>
References: <201208061519.q76FJcDp011962@vivaldi31.register.it>
	<1344267046.29329.57.camel@d30.localdomain>
	<50201053.9000506@trentalancia.com>
	<1344282251.29329.73.camel@d30.localdomain>
	<50215188.7040900@trentalancia.com>
	<1344361404.2306.5.camel@d30.localdomain>
Message-ID: <50216DFF.1050309@trentalancia.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello Dominick.

On 07/08/2012 19:43, Dominick Grift wrote:
>
>>
>> It's needed for the (untested) client mode.
>>
>> There is a boolean for that (and for the server mode, as one might want
>> to write another client for example).
>>
>
> Its already allowed... I will explain it one more time:
>
> allow mcelog_t self:unix_stream_socket create_stream_socket_perms;
> manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
>
> is what allows this already. Its already there and therefore the
> stream_connect_pattern() is reduntant.

I have triple-checked now, so at least you could double-check...

stream_connect_pattern() is needed for "connectto" (client-mode)

removal of manage_sock_files_pattern would prevent sock_file creation: 
it's the physical entry in the filesystem, not the logical socket 
created by create_stream_socket_perms !

> However i won't review it anymore because i have made my points already
> in previous reviews. No need for repeating myself.

As already explained, all your revision have been introduced as applicable.

My advice is to apply it as it is now and then you can submit further 
patches as needed, which also seems much more efficient.

But I would strongly recommend you to also carry out some testing, 
because otherwise, no matter how skilled you are, things similar to the 
above might happen.

Regards,

Guido