From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 06 Jul 2010 08:13:55 -0400 Subject: [refpolicy] duplicate rules In-Reply-To: <201007051736.18433.russell@coker.com.au> References: <201007051736.18433.russell@coker.com.au> Message-ID: <4C331E03.5090502@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 07/05/10 03:36, Russell Coker wrote: > The following lines are duplicate in the reference policy. I generated this > via grep/sort/uniq and then manually verified them all. > > modules/apps/ethereal.te:corecmd_search_bin(ethereal_t) > modules/apps/gift.te:kernel_read_system_state(giftd_t) > modules/apps/java.te:files_read_etc_files(java_t) > modules/apps/java.te: init_dbus_chat_script(unconfined_java_t) > modules/apps/wireshark.te:corecmd_search_bin(wireshark_t) > modules/services/clamav.te:manage_dirs_pattern(clamd_t, clamd_var_log_t, > clamd_var_log_t) > modules/services/courier.te:allow courier_authdaemon_t courier_tcpd_t:fd use; > modules/services/djbdns.te:files_config_file(djbdns_axfrdns_conf_t) > modules/services/prelude.te:files_search_tmp(prelude_t) > modules/services/xserver.te:xserver_unconfined(xdm_t) > modules/services/xserver.te:xserver_use_user_fonts(xserver_t) > modules/system/init.te:corecmd_exec_all_executables(initrc_t) > modules/system/init.te:domain_sigstop_all_domains(initrc_t) > modules/system/init.te:domain_sigstop_all_domains(init_t) > modules/system/logging.te:files_pid_filetrans(syslogd_t, syslogd_var_run_t, > file) > modules/system/lvm.te:kernel_read_kernel_sysctls(lvm_t) > modules/system/xen.te:term_use_console(xenconsoled_t) > > > For modules/services/lpd.te the following line is unconditionally included as > well as being in two tunable sections. > files_list_home(lpr_t) > > modules/services/ricci.te has the following duplicated optional section: > optional_policy(` > rgmanager_stream_connect(ricci_modclusterd_t) > ') > > modules/services/ssh.te has most of the local policy for ssh_keygen > duplicated. > > modules/services/virt.te has the following optional section duplicated: > > optional_policy(` > xen_rw_image_files(svirt_t) > ') > > modules/system/sysnetwork.te has the following, at the minimum it seems to be > a duplication of netutils_domtrans(dhcpc_t), and as an aside I didn't > previously realist that optional_policy() had an else clause... > > # for the dhcp client to run ping to check IP addresses > optional_policy(` > netutils_domtrans_ping(dhcpc_t) > netutils_domtrans(dhcpc_t) > ',` > allow dhcpc_t self:capability setuid; > allow dhcpc_t self:rawip_socket create_socket_perms; > ') > > optional_policy(` > netutils_domtrans(dhcpc_t) > ') > > > I can send you a patch to remove the dupes if you wish. Yes, please. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com