From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 27 Apr 2010 09:21:05 -0400 Subject: [refpolicy] [ nis patch 1/1] Remove dontaudit interface calls because access is granted. In-Reply-To: <20100420165956.GA2807@localhost.localdomain> References: <20100420165956.GA2807@localhost.localdomain> Message-ID: <1272374465.32279.239.camel@gorn> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 2010-04-20 at 18:59 +0200, Dominick Grift wrote: > Issue want introduced in 4b121a5f534d93ae0451e1a2ecf5917285238541 These accesses aren't allowed. They dontaudit bind on all ports < 1024. The corenet_*_bind_reserved_port() just allows access to generic ports < 1024. > Signed-off-by: Dominick Grift > --- > :100644 100644 573b05c... e9d7dea... M policy/modules/services/nis.te > policy/modules/services/nis.te | 4 ---- > 1 files changed, 0 insertions(+), 4 deletions(-) > > diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te > index 573b05c..e9d7dea 100644 > --- a/policy/modules/services/nis.te > +++ b/policy/modules/services/nis.te > @@ -262,8 +262,6 @@ corenet_tcp_bind_reserved_port(ypserv_t) > corenet_udp_bind_reserved_port(ypserv_t) > corenet_tcp_bind_all_rpc_ports(ypserv_t) > corenet_udp_bind_all_rpc_ports(ypserv_t) > -corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t) > -corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t) > corenet_sendrecv_generic_server_packets(ypserv_t) > > dev_read_sysfs(ypserv_t) > @@ -332,8 +330,6 @@ corenet_tcp_bind_reserved_port(ypxfr_t) > corenet_udp_bind_reserved_port(ypxfr_t) > corenet_tcp_bind_all_rpc_ports(ypxfr_t) > corenet_udp_bind_all_rpc_ports(ypxfr_t) > -corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) > -corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) > corenet_tcp_connect_all_ports(ypxfr_t) > corenet_sendrecv_generic_server_packets(ypxfr_t) > corenet_sendrecv_all_client_packets(ypxfr_t) > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Chris PeBenito Tresys Technology, LLC