From: dominick.grift@gmail.com (Dominick Grift)
Date: Wed, 08 Aug 2012 17:06:10 +0200
Subject: [refpolicy] [PATCH] Initial BIRD Internet Routing Daemon policy
In-Reply-To: <50227D96.8060200@trentalancia.com>
References: <1344415924-27382-1-git-send-email-dominick.grift@gmail.com>
	<5022443F.2040601@trentalancia.com>
	<1344426166.2306.31.camel@d30.localdomain>
	<50227D96.8060200@trentalancia.com>
Message-ID: <1344438370.2306.46.camel@d30.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com



On Wed, 2012-08-08 at 16:54 +0200, Guido Trentalancia wrote:

> 
> [cut]

> >>> +allow bird_t bird_etc_t:file read_file_perms;
> >>
> >> Use of patterns for reading, writing or managing standard files is more
> >> common throughout the whole reference policy. It's not critical but
> >> think about it, it might improve readability and coherence across the
> >> work as a whole...
> >
> > This is better in my view. The patterns provide permissions that are not
> > needed here. i.e. read_files_pattern(bird_t, bird_etc_t , bird_etc_t)
> > allow bird_t to search bird_etc_t dirs but there aren't any.
> 
> What often happens is that distributions create internal directories 
> within /etc (as in /etc/bird), that's why using the pattern is a bit 
> more future-proof.

I do not like assumptions. If there is a real use to it then i will be
happy to use the pattern.

If there is anything i have learned, it is that one should be
conservative/efficient with adding rules.

assumptions , routine are bad habits imho.