From: dominick.grift@gmail.com (Dominick Grift)
Date: Wed, 14 Nov 2012 21:31:15 +0100
Subject: [refpolicy] [PATCH 3/5] Introduce dontaudits for leaked fd and
 unix stream sockets
In-Reply-To: <20121114201858.GA10250@siphos.be>
References: <1352566218-17772-1-git-send-email-sven.vermeulen@siphos.be>
	<1352566218-17772-4-git-send-email-sven.vermeulen@siphos.be>
	<1352916373.3654.3.camel@d30.localdomain>
	<20121114192015.GA4196@siphos.be>
	<1352921851.3654.34.camel@d30.localdomain>
	<20121114201858.GA10250@siphos.be>
Message-ID: <1352925075.3654.38.camel@d30.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com



On Wed, 2012-11-14 at 21:18 +0100, Sven Vermeulen wrote:
> On Wed, Nov 14, 2012 at 08:37:31PM +0100, Dominick Grift wrote:
> > > Would a more generic "rw_inherited_perms" be sufficient (i.e. without
> > > referring to the class)? As far as I know, inherited file descriptors or
> > > sockets (or ...) are usually just { read write };
> > 
> > I do not agree. Many kinds of objects can be inherited (think files,
> > blk_files etc), And its often not just { read write };
> 
> Ok, my bad, didn't know that.
> 
> > I personally am interesting in just a inherited equivalent of any rw
> > permission set that is the same except that it lacks the open permission
> > (much like fedora does it)
> 
> Perhaps we should just use things like:
> 
> dontaudit $1 bar_t:file { rw_file_perms ~open } 
> 
> if we want to have the same equivalent without open? 

Not sure if that particular implementation is as efficient as can be but
the result is exactly what i am interested in personally

> Wkr,
> 	Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy