From: jason@perfinion.com (Jason Zaman) Date: Wed, 3 Aug 2016 10:44:44 +0800 Subject: [refpolicy] [PATCH] policy for "mon" network monitoring In-Reply-To: <201608031231.26961.russell@coker.com.au> References: <20160731090959.fihe7ytiorwwfjno@athena.coker.com.au> <246b3e68-c54f-0454-97f1-8d8684f13d0c@ieee.org> <201608031231.26961.russell@coker.com.au> Message-ID: <20160803024444.GB29738@meriadoc.perfinion.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, Aug 03, 2016 at 12:31:26PM +1000, Russell Coker wrote: > On Wed, 3 Aug 2016 10:25:57 AM Chris PeBenito wrote: > > > We could consider setting up multiple domains for tests, for example one > > > domain for talking to the Internet and another for local checks. But I > > > > That would be a good thing to move towards as the network access on top > > of sudo doesn't inspire me with much confidence. Not really useful right now, but ZFS has merged in the "zfs allow" stuff so hopefully in the near future root will not be required for doing some ZFS operations. > > Well it's not nearly as bad as the daemons that have net access and > capabilities like setuid. > > > > think that the current policy is good enough to be included at the moment > > > and we can discuss changes later. > > > > The mon_test_t rules need some style cleanup, then I think we can look > > at merging it with its current domain set. > > What type of style issues? SwifT actually has a script to spit out some issues: https://github.com/sjvermeu/small.coding/blob/master/se_scripts/severifystyle It's pretty good at finding the less obvious things. Is this something we should perhaps get pushed up into refpol/support/? Also, if there are things that the script reports incorrectly, I'd like to know so it can be fixed. > > -- > My Main Blog http://etbe.coker.com.au/ > My Documents Blog http://doc.coker.com.au/ > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy