From: dwalsh@redhat.com (Daniel J Walsh)
Date: Mon, 20 Jul 2009 15:40:02 -0400
Subject: [refpolicy] services_setroubleshoot.patch
In-Reply-To: <1248114437.23783.727.camel@gorn>
References: <4A4A0AB9.3010904@redhat.com> <1248114437.23783.727.camel@gorn>
Message-ID: <4A64C812.4050806@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 07/20/2009 02:27 PM, Christopher J. PeBenito wrote:
> On Tue, 2009-06-30 at 08:53 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_setroubleshoot.patch
>>
>> Removed initrc part of the patch.
> 
> You have this:
> 
> +# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run
> +allow setroubleshootd_t self:process { execmem execstack };
> 
> Is this anticipated to be a temporary issue?  If so, I'd prefer to keep
> it out of refpolicy upstream.  Otherwise it would seem to be better to
> be in a distro_redhat.
> 
Maybe make it a dontaudit?