From: dominick.grift@gmail.com (Dominick Grift) Date: Wed, 08 Aug 2012 17:06:10 +0200 Subject: [refpolicy] [PATCH] Initial BIRD Internet Routing Daemon policy In-Reply-To: <50227D96.8060200@trentalancia.com> References: <1344415924-27382-1-git-send-email-dominick.grift@gmail.com> <5022443F.2040601@trentalancia.com> <1344426166.2306.31.camel@d30.localdomain> <50227D96.8060200@trentalancia.com> Message-ID: <1344438370.2306.46.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2012-08-08 at 16:54 +0200, Guido Trentalancia wrote: > > [cut] > >>> +allow bird_t bird_etc_t:file read_file_perms; > >> > >> Use of patterns for reading, writing or managing standard files is more > >> common throughout the whole reference policy. It's not critical but > >> think about it, it might improve readability and coherence across the > >> work as a whole... > > > > This is better in my view. The patterns provide permissions that are not > > needed here. i.e. read_files_pattern(bird_t, bird_etc_t , bird_etc_t) > > allow bird_t to search bird_etc_t dirs but there aren't any. > > What often happens is that distributions create internal directories > within /etc (as in /etc/bird), that's why using the pattern is a bit > more future-proof. I do not like assumptions. If there is a real use to it then i will be happy to use the pattern. If there is anything i have learned, it is that one should be conservative/efficient with adding rules. assumptions , routine are bad habits imho.