From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Wed, 14 Nov 2012 20:20:15 +0100
Subject: [refpolicy] [PATCH 3/5] Introduce dontaudits for leaked fd and
 unix stream sockets
In-Reply-To: <1352916373.3654.3.camel@d30.localdomain>
References: <1352566218-17772-1-git-send-email-sven.vermeulen@siphos.be>
	<1352566218-17772-4-git-send-email-sven.vermeulen@siphos.be>
	<1352916373.3654.3.camel@d30.localdomain>
Message-ID: <20121114192015.GA4196@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, Nov 14, 2012 at 07:06:13PM +0100, Dominick Grift wrote:
> > +interface(`fail2ban_dontaudit_rw_stream_sockets',`
> > +	gen_require(`
> > +		type fail2ban_t;
> > +	')
> > +
> > +	dontaudit $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
> > +')
> 
> We should read create a rw_inherited_socket_perms permission set and use
> that instead in my honest opinion

Would a more generic "rw_inherited_perms" be sufficient (i.e. without
referring to the class)? As far as I know, inherited file descriptors or
sockets (or ...) are usually just { read write };

Wkr,
	Sven Vermeulen