From: mgrepl@redhat.com (Miroslav Grepl) Date: Mon, 28 Feb 2011 15:52:51 +0000 Subject: [refpolicy] [PATCH 28/34]: patch to allow reading hal pid files from ifconfig_t In-Reply-To: <4D6BB59C.30105@tresys.com> References: <1297838085.3205.105.camel@tesla.lan> <4D6BB59C.30105@tresys.com> Message-ID: <4D6BC4D3.6060607@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/28/2011 02:47 PM, Christopher J. PeBenito wrote: > On 02/16/11 01:34, Guido Trentalancia wrote: >> This patch allows to read hal pid files from the ifconfig_t >> context. >> >> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/system/sysnetwork.te refpolicy-git-15022011-new-modified/policy/modules/system/sysnetwork.te >> --- refpolicy-git-15022011-new-before-modification/policy/modules/system/sysnetwork.te 2011-01-08 19:07:21.363760466 +0100 >> +++ refpolicy-git-15022011-new-modified/policy/modules/system/sysnetwork.te 2011-02-15 23:28:42.843164809 +0100 >> @@ -327,6 +327,7 @@ ifdef(`hide_broken_symptoms',` >> optional_policy(` >> hal_dontaudit_rw_pipes(ifconfig_t) >> hal_dontaudit_rw_dgram_sockets(ifconfig_t) >> + hal_read_pid_files(ifconfig_t) >> ') >> >> optional_policy(` > Why would this be necessary? Are you sure its not another leak > (especially considering the other dontaudits)? > We have in Fedora hal_dontaudit_read_pid_files(ifconfig_t) AFAIK this is a leak.