From: pebenito@ieee.org (Chris PeBenito) Date: Sat, 6 Aug 2016 15:54:50 -0400 Subject: [refpolicy] [PATCH] policy for "mon" network monitoring In-Reply-To: <201608031231.26961.russell@coker.com.au> References: <20160731090959.fihe7ytiorwwfjno@athena.coker.com.au> <246b3e68-c54f-0454-97f1-8d8684f13d0c@ieee.org> <201608031231.26961.russell@coker.com.au> Message-ID: <7c41ca85-990f-83de-ec09-50866d49c3f3@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/02/16 22:31, Russell Coker wrote: > On Wed, 3 Aug 2016 10:25:57 AM Chris PeBenito wrote: >>> We could consider setting up multiple domains for tests, for example one >>> domain for talking to the Internet and another for local checks. But I >> >> That would be a good thing to move towards as the network access on top >> of sudo doesn't inspire me with much confidence. > > Well it's not nearly as bad as the daemons that have net access and > capabilities like setuid. > >>> think that the current policy is good enough to be included at the moment >>> and we can discuss changes later. >> >> The mon_test_t rules need some style cleanup, then I think we can look >> at merging it with its current domain set. > > What type of style issues? Minor. Primarily the mon_test_t rules are one big block that needs to be broken up, grouped, and sorted in a similar way to the mon_t ones. -- Chris PeBenito