This patch allows to read hal pid files from the ifconfig_t
context.
diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/system/sysnetwork.te refpolicy-git-15022011-new-modified/policy/modules/system/sysnetwork.te
--- refpolicy-git-15022011-new-before-modification/policy/modules/system/sysnetwork.te 2011-01-08 19:07:21.363760466 +0100
+++ refpolicy-git-15022011-new-modified/policy/modules/system/sysnetwork.te 2011-02-15 23:28:42.843164809 +0100
@@ -327,6 +327,7 @@ ifdef(`hide_broken_symptoms',`
optional_policy(`
hal_dontaudit_rw_pipes(ifconfig_t)
hal_dontaudit_rw_dgram_sockets(ifconfig_t)
+ hal_read_pid_files(ifconfig_t)
')
optional_policy(`
On 02/16/11 01:34, Guido Trentalancia wrote:
> This patch allows to read hal pid files from the ifconfig_t
> context.
>
> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/system/sysnetwork.te refpolicy-git-15022011-new-modified/policy/modules/system/sysnetwork.te
> --- refpolicy-git-15022011-new-before-modification/policy/modules/system/sysnetwork.te 2011-01-08 19:07:21.363760466 +0100
> +++ refpolicy-git-15022011-new-modified/policy/modules/system/sysnetwork.te 2011-02-15 23:28:42.843164809 +0100
> @@ -327,6 +327,7 @@ ifdef(`hide_broken_symptoms',`
> optional_policy(`
> hal_dontaudit_rw_pipes(ifconfig_t)
> hal_dontaudit_rw_dgram_sockets(ifconfig_t)
> + hal_read_pid_files(ifconfig_t)
> ')
>
> optional_policy(`
Why would this be necessary? Are you sure its not another leak
(especially considering the other dontaudits)?
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 02/28/2011 02:47 PM, Christopher J. PeBenito wrote:
> On 02/16/11 01:34, Guido Trentalancia wrote:
>> This patch allows to read hal pid files from the ifconfig_t
>> context.
>>
>> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/system/sysnetwork.te refpolicy-git-15022011-new-modified/policy/modules/system/sysnetwork.te
>> --- refpolicy-git-15022011-new-before-modification/policy/modules/system/sysnetwork.te 2011-01-08 19:07:21.363760466 +0100
>> +++ refpolicy-git-15022011-new-modified/policy/modules/system/sysnetwork.te 2011-02-15 23:28:42.843164809 +0100
>> @@ -327,6 +327,7 @@ ifdef(`hide_broken_symptoms',`
>> optional_policy(`
>> hal_dontaudit_rw_pipes(ifconfig_t)
>> hal_dontaudit_rw_dgram_sockets(ifconfig_t)
>> + hal_read_pid_files(ifconfig_t)
>> ')
>>
>> optional_policy(`
> Why would this be necessary? Are you sure its not another leak
> (especially considering the other dontaudits)?
>
We have in Fedora
hal_dontaudit_read_pid_files(ifconfig_t)
AFAIK this is a leak.
On Mon, 28/02/2011 at 09.47 -0500, Christopher J. PeBenito wrote:
> On 02/16/11 01:34, Guido Trentalancia wrote:
> > This patch allows to read hal pid files from the ifconfig_t
> > context.
> >
> > diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/system/sysnetwork.te refpolicy-git-15022011-new-modified/policy/modules/system/sysnetwork.te
> > --- refpolicy-git-15022011-new-before-modification/policy/modules/system/sysnetwork.te 2011-01-08 19:07:21.363760466 +0100
> > +++ refpolicy-git-15022011-new-modified/policy/modules/system/sysnetwork.te 2011-02-15 23:28:42.843164809 +0100
> > @@ -327,6 +327,7 @@ ifdef(`hide_broken_symptoms',`
> > optional_policy(`
> > hal_dontaudit_rw_pipes(ifconfig_t)
> > hal_dontaudit_rw_dgram_sockets(ifconfig_t)
> > + hal_read_pid_files(ifconfig_t)
> > ')
> >
> > optional_policy(`
>
> Why would this be necessary? Are you sure its not another leak
> (especially considering the other dontaudits)?
Yes, that is not strictly necessary. What do you mean exactly for a
leak ?
Regards,
Guido
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/28/2011 01:26 PM, Guido Trentalancia wrote:
> On Mon, 28/02/2011 at 09.47 -0500, Christopher J. PeBenito wrote:
>> On 02/16/11 01:34, Guido Trentalancia wrote:
>>> This patch allows to read hal pid files from the ifconfig_t
>>> context.
>>>
>>> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/system/sysnetwork.te refpolicy-git-15022011-new-modified/policy/modules/system/sysnetwork.te
>>> --- refpolicy-git-15022011-new-before-modification/policy/modules/system/sysnetwork.te 2011-01-08 19:07:21.363760466 +0100
>>> +++ refpolicy-git-15022011-new-modified/policy/modules/system/sysnetwork.te 2011-02-15 23:28:42.843164809 +0100
>>> @@ -327,6 +327,7 @@ ifdef(`hide_broken_symptoms',`
>>> optional_policy(`
>>> hal_dontaudit_rw_pipes(ifconfig_t)
>>> hal_dontaudit_rw_dgram_sockets(ifconfig_t)
>>> + hal_read_pid_files(ifconfig_t)
>>> ')
>>>
>>> optional_policy(`
>>
>> Why would this be necessary? Are you sure its not another leak
>> (especially considering the other dontaudits)?
>
> Yes, that is not strictly necessary. What do you mean exactly for a
> leak ?
>
> Regards,
>
> Guido
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
http://danwalsh.livejournal.com/6117.html?thread=16613
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1r6+QACgkQrlYvE4MpobMQlgCgsXvKbJOASK9hh8uMWPFTF1Jz
etAAnRn6N7mpw/QkcDj78XWq5eC3aHCa
=J1QJ
-----END PGP SIGNATURE-----