From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 31 Jan 2011 14:09:34 -0500
Subject: [refpolicy] [PATCH/RFC 3/19]: patch set to update the git
 reference policy
In-Reply-To: <4D3D9777.1030709@gmail.com>
References: <1295829836.3862.62.camel@tesla.lan>	
	<4D3D8B05.2050002@gmail.com>	<1295881963.19674.8.camel@tesla.lan>
	<4D3D9777.1030709@gmail.com>
Message-ID: <4D4708EE.7080806@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 1/24/2011 10:15 AM, Dominick Grift wrote:
> On 01/24/2011 04:12 PM, Guido Trentalancia wrote:
>> On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote:
>>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
>>>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
>>>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te	2011-01-08 19:07:21.165729194 +0100
>>>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te	2011-01-18 23:13:49.754846681 +0100
>>>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
>>>>
>>>>   auth_dontaudit_read_shadow(readahead_t)
>>>>
>>>> +init_read_fifo_file(readahead_t)
>>>>   init_use_fds(readahead_t)
>>>>   init_use_script_ptys(readahead_t)
>>>>   init_getattr_initctl(readahead_t)
>>>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
>>>> --- refpolicy-git-18012011/policy/modules/system/init.if	2011-01-08 19:07:21.351758570 +0100
>>>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if	2011-01-23 00:29:43.873713518 +0100
>>>> @@ -947,6 +947,24 @@ interface(`init_read_state',`
>>>>
>>>>   ########################################
>>>>   ##<summary>
>>>> +##      Read init fifo file.
>>>> +##</summary>
>>>> +##<param name="domain">
>>>> +##<summary>
>>>> +##      Domain allowed access.
>>>> +##</summary>
>>>> +##</param>
>>>> +#
>>>> +interface(`init_read_fifo_file',`
>>>> +		gen_require(`
>>>> +		attribute init_t;
>>>> +	')
>>>> +
>>>> +	read_fifo_files_pattern($1, init_t, init_t)
>>>> +')
>>>
>>> no need to for pattern here use: allow $1 init_t:fifo_file
>>> r_fifo_file_perms;
>>
>> Ok will be changed.
>>
>>> init_t is not an attribute (its a type)
>>
>> Hmm. That's too true, good point. But elsewhere in the same interface
>> file it's being declared the same way (see init_ptrace() and
>> init_read_state()). I think I just copied off bits from there, that's
>> why... What should be done to the rest of occurrences then ?
>
> That should be analysed and determined in each of the remaining occurrences.
>
> You may well have stumbled upon a bug.

Yep, there are two interfaces with this bug.  I have fixed them in git 
master.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com