From: guido@trentalancia.com (Guido Trentalancia)
Date: Mon, 24 Jan 2011 16:12:42 +0100
Subject: [refpolicy] [PATCH/RFC 3/19]: patch set to update the git
 reference policy
In-Reply-To: <4D3D8B05.2050002@gmail.com>
References: <1295829836.3862.62.camel@tesla.lan> <4D3D8B05.2050002@gmail.com>
Message-ID: <1295881963.19674.8.camel@tesla.lan>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote:
> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
> > diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
> > --- refpolicy-git-18012011/policy/modules/admin/readahead.te	2011-01-08 19:07:21.165729194 +0100
> > +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te	2011-01-18 23:13:49.754846681 +0100
> > @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
> >  
> >  auth_dontaudit_read_shadow(readahead_t)
> >  
> > +init_read_fifo_file(readahead_t)
> >  init_use_fds(readahead_t)
> >  init_use_script_ptys(readahead_t)
> >  init_getattr_initctl(readahead_t)
> > diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
> > --- refpolicy-git-18012011/policy/modules/system/init.if	2011-01-08 19:07:21.351758570 +0100
> > +++ refpolicy-git-18012011-new/policy/modules/system/init.if	2011-01-23 00:29:43.873713518 +0100
> > @@ -947,6 +947,24 @@ interface(`init_read_state',`
> >  
> >  ########################################
> >  ## <summary>
> > +##      Read init fifo file.
> > +## </summary>
> > +## <param name="domain">
> > +##      <summary>
> > +##      Domain allowed access.
> > +##      </summary>
> > +## </param>
> > +#
> > +interface(`init_read_fifo_file',`
> > +		gen_require(`
> > +		attribute init_t;
> > +	')
> > +
> > +	read_fifo_files_pattern($1, init_t, init_t)
> > +')
> 
> no need to for pattern here use: allow $1 init_t:fifo_file
> r_fifo_file_perms;

Ok will be changed.

> init_t is not an attribute (its a type)

Hmm. That's too true, good point. But elsewhere in the same interface
file it's being declared the same way (see init_ptrace() and
init_read_state()). I think I just copied off bits from there, that's
why... What should be done to the rest of occurrences then ?

> > +
> > +########################################
> > +## <summary>
> >  ##	Ptrace init
> >  ## </summary>
> >  ## <param name="domain">
> > 
> > 
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.16 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAk09iwUACgkQMlxVo39jgT+z8wCgxkxTW3mmbIfGDj8HHGLlLRuS
> LR4AnRlYgmCf/My41QotF2VIfAnehq8D
> =F4q9
> -----END PGP SIGNATURE-----
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>