From: mgrepl@redhat.com (Miroslav Grepl)
Date: Mon, 28 Feb 2011 15:52:51 +0000
Subject: [refpolicy] [PATCH 28/34]: patch to allow reading hal pid files
 from ifconfig_t
In-Reply-To: <4D6BB59C.30105@tresys.com>
References: <1297838085.3205.105.camel@tesla.lan> <4D6BB59C.30105@tresys.com>
Message-ID: <4D6BC4D3.6060607@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/28/2011 02:47 PM, Christopher J. PeBenito wrote:
> On 02/16/11 01:34, Guido Trentalancia wrote:
>> This patch allows to read hal pid files from the ifconfig_t
>> context.
>>
>> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/system/sysnetwork.te refpolicy-git-15022011-new-modified/policy/modules/system/sysnetwork.te
>> --- refpolicy-git-15022011-new-before-modification/policy/modules/system/sysnetwork.te	2011-01-08 19:07:21.363760466 +0100
>> +++ refpolicy-git-15022011-new-modified/policy/modules/system/sysnetwork.te	2011-02-15 23:28:42.843164809 +0100
>> @@ -327,6 +327,7 @@ ifdef(`hide_broken_symptoms',`
>>   optional_policy(`
>>   	hal_dontaudit_rw_pipes(ifconfig_t)
>>   	hal_dontaudit_rw_dgram_sockets(ifconfig_t)
>> +	hal_read_pid_files(ifconfig_t)
>>   ')
>>
>>   optional_policy(`
> Why would this be necessary?  Are you sure its not another leak
> (especially considering the other dontaudits)?
>
We have in Fedora

hal_dontaudit_read_pid_files(ifconfig_t)

AFAIK this is a leak.