From: guido@trentalancia.com (Guido Trentalancia) Date: Wed, 08 Aug 2012 19:37:56 +0200 Subject: [refpolicy] [PATCH] Initial BIRD Internet Routing Daemon policy In-Reply-To: <1344438370.2306.46.camel@d30.localdomain> References: <1344415924-27382-1-git-send-email-dominick.grift@gmail.com> <5022443F.2040601@trentalancia.com> <1344426166.2306.31.camel@d30.localdomain> <50227D96.8060200@trentalancia.com> <1344438370.2306.46.camel@d30.localdomain> Message-ID: <5022A3F4.7060502@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/08/2012 17:06, Dominick Grift wrote: > > > On Wed, 2012-08-08 at 16:54 +0200, Guido Trentalancia wrote: > >> >> [cut] > >>>>> +allow bird_t bird_etc_t:file read_file_perms; >>>> >>>> Use of patterns for reading, writing or managing standard files is more >>>> common throughout the whole reference policy. It's not critical but >>>> think about it, it might improve readability and coherence across the >>>> work as a whole... >>> >>> This is better in my view. The patterns provide permissions that are not >>> needed here. i.e. read_files_pattern(bird_t, bird_etc_t , bird_etc_t) >>> allow bird_t to search bird_etc_t dirs but there aren't any. >> >> What often happens is that distributions create internal directories >> within /etc (as in /etc/bird), that's why using the pattern is a bit >> more future-proof. > > I do not like assumptions. If there is a real use to it then i will be > happy to use the pattern. > > If there is anything i have learned, it is that one should be > conservative/efficient with adding rules. > > assumptions , routine are bad habits imho. A policy writer simply might not know what all distributions are going to do. It was just a note. There is real use of that. I am not referring specifically to this BIRD daemon, which I do not know. And at the moment I can remember any specific package on a specific distribution which does that, but it happens. It's just the opposite of an assumption, as it means assume nothing (thus including: do not assume that bird.conf is located top-level in an etc_t directory). Regards, Guido