From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 3 Dec 2014 08:14:10 -0500 Subject: [refpolicy] [PATCH] Remove optional else block for dhcp ping In-Reply-To: <1417537634-15820-1-git-send-email-slawrence@tresys.com> References: <1417537634-15820-1-git-send-email-slawrence@tresys.com> Message-ID: <547F0CA2.9000207@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/2/2014 11:27 AM, Steve Lawrence wrote: > Else blocks with optional statements are not supported in CIL. > Currently, if the pp to CIL compiler comes across one of these in a pp > module, it just drops the block and outputs a warning. Fortunately, > these are very rare. In fact, this is the only place in refpolicy where > an optional else block is used, and it is not clear if it is even > needed. This patch is untested, and is more to spark discussions to see > if there are any thoughts about whether or not this piece of policy is > needed. > > Signed-off-by: Steve Lawrence > --- > policy/modules/system/sysnetwork.te | 3 --- > 1 file changed, 3 deletions(-) > > diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te > index 705496d..ddb5a92 100644 > --- a/policy/modules/system/sysnetwork.te > +++ b/policy/modules/system/sysnetwork.te > @@ -195,9 +195,6 @@ optional_policy(` > optional_policy(` > netutils_run_ping(dhcpc_t, dhcpc_roles) > netutils_run(dhcpc_t, dhcpc_roles) > -',` > - allow dhcpc_t self:capability setuid; > - allow dhcpc_t self:rawip_socket create_socket_perms; > ') > > optional_policy(` In practice, it's probably not used, so I think we could remove it. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com