From: guido@trentalancia.com (Guido Trentalancia) Date: Mon, 28 Feb 2011 19:26:43 +0100 Subject: [refpolicy] [PATCH 28/34]: patch to allow reading hal pid files from ifconfig_t In-Reply-To: <4D6BB59C.30105@tresys.com> References: <1297838085.3205.105.camel@tesla.lan> <4D6BB59C.30105@tresys.com> Message-ID: <1298917603.3123.2.camel@tesla.lan> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 28/02/2011 at 09.47 -0500, Christopher J. PeBenito wrote: > On 02/16/11 01:34, Guido Trentalancia wrote: > > This patch allows to read hal pid files from the ifconfig_t > > context. > > > > diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/system/sysnetwork.te refpolicy-git-15022011-new-modified/policy/modules/system/sysnetwork.te > > --- refpolicy-git-15022011-new-before-modification/policy/modules/system/sysnetwork.te 2011-01-08 19:07:21.363760466 +0100 > > +++ refpolicy-git-15022011-new-modified/policy/modules/system/sysnetwork.te 2011-02-15 23:28:42.843164809 +0100 > > @@ -327,6 +327,7 @@ ifdef(`hide_broken_symptoms',` > > optional_policy(` > > hal_dontaudit_rw_pipes(ifconfig_t) > > hal_dontaudit_rw_dgram_sockets(ifconfig_t) > > + hal_read_pid_files(ifconfig_t) > > ') > > > > optional_policy(` > > Why would this be necessary? Are you sure its not another leak > (especially considering the other dontaudits)? Yes, that is not strictly necessary. What do you mean exactly for a leak ? Regards, Guido