diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/sysnetwork.if refpolicy-git-18012011-new/policy/modules/system/sysnetwork.if
--- refpolicy-git-18012011/policy/modules/system/sysnetwork.if 2011-01-08 19:07:21.362760308 +0100
+++ refpolicy-git-18012011-new/policy/modules/system/sysnetwork.if 2011-01-18 23:13:49.817855562 +0100
@@ -215,6 +215,24 @@ interface(`sysnet_rw_dhcp_config',`
########################################
## <summary>
+## Search dhcp client state directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_search_dhcpc_state',`
+ gen_require(`
+ type dhcpc_state_t;
+ ')
+
+ search_dirs_pattern($1, dhcpc_state_t, dhcpc_state_t)
+')
+
+########################################
+## <summary>
## Read dhcp client state files.
## </summary>
## <param name="domain">
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/24/2011 01:44 AM, Guido Trentalancia wrote:
> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/sysnetwork.if refpolicy-git-18012011-new/policy/modules/system/sysnetwork.if
> --- refpolicy-git-18012011/policy/modules/system/sysnetwork.if 2011-01-08 19:07:21.362760308 +0100
> +++ refpolicy-git-18012011-new/policy/modules/system/sysnetwork.if 2011-01-18 23:13:49.817855562 +0100
> @@ -215,6 +215,24 @@ interface(`sysnet_rw_dhcp_config',`
>
> ########################################
> ## <summary>
> +## Search dhcp client state directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`sysnet_search_dhcpc_state',`
> + gen_require(`
> + type dhcpc_state_t;
> + ')
> +
> + search_dirs_pattern($1, dhcpc_state_t, dhcpc_state_t)
> +')
You should also provide access to the location of dhcpc_state_t
directories. This interface may allow access to search dhcpc_state_t
directories, but it does not do any good if the caller cannot search its
parent(s).
> +
> +########################################
> +## <summary>
> ## Read dhcp client state files.
> ## </summary>
> ## <param name="domain">
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk09hRwACgkQMlxVo39jgT+z5ACeK4dDSI7i7Hb0mqPN8nT2/ONg
kocAmwfOU9cj6HtyJHuHMyvrYMnAZYGg
=ZIuO
-----END PGP SIGNATURE-----
On Mon, 24/01/2011 at 14.56 +0100, Dominick Grift wrote:
> On 01/24/2011 01:44 AM, Guido Trentalancia wrote:
> > diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/sysnetwork.if refpolicy-git-18012011-new/policy/modules/system/sysnetwork.if
> > --- refpolicy-git-18012011/policy/modules/system/sysnetwork.if 2011-01-08 19:07:21.362760308 +0100
> > +++ refpolicy-git-18012011-new/policy/modules/system/sysnetwork.if 2011-01-18 23:13:49.817855562 +0100
> > @@ -215,6 +215,24 @@ interface(`sysnet_rw_dhcp_config',`
> >
> > ########################################
> > ## <summary>
> > +## Search dhcp client state directories.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`sysnet_search_dhcpc_state',`
> > + gen_require(`
> > + type dhcpc_state_t;
> > + ')
> > +
> > + search_dirs_pattern($1, dhcpc_state_t, dhcpc_state_t)
> > +')
>
> You should also provide access to the location of dhcpc_state_t
> directories. This interface may allow access to search dhcpc_state_t
> directories, but it does not do any good if the caller cannot search its
> parent(s).
Ok, I agree and it will be done. You already pointed out for another
similar interface. I had created just the minimum permissions that were
actually being required.
Regards,
Guido