From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 20 Apr 2012 16:13:42 -0400
Subject: [refpolicy] [PATCH 11/13] Adding dontaudits for selinuxutil
In-Reply-To: <20120322201302.GL3387@siphos.be>
References: <20120322200229.GA3387@siphos.be> <20120322201302.GL3387@siphos.be>
Message-ID: <4F91C376.2000409@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 03/22/12 16:13, Sven Vermeulen wrote:
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/system/selinuxutil.te |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
> index ab78aea..bc6e9b7 100644
> --- a/policy/modules/system/selinuxutil.te
> +++ b/policy/modules/system/selinuxutil.te
> @@ -234,6 +234,8 @@ allow newrole_t self:unix_dgram_socket sendto;
>  allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
>  allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
>  
> +dontaudit newrole_t self:capability dac_read_search;
> +
>  read_files_pattern(newrole_t, default_context_t, default_context_t)
>  read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
  
On the fence with this one.  It already has dac_override, which is a superset of dac_read_search.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com