From: jason@perfinion.com (Jason Zaman)
Date: Sun, 21 Dec 2014 14:38:42 +0400
Subject: [refpolicy] [PATCH] Remove optional else block for dhcp ping
In-Reply-To: <1417537634-15820-1-git-send-email-slawrence@tresys.com>
References: <1417537634-15820-1-git-send-email-slawrence@tresys.com>
Message-ID: <20141221103842.GA8438@meriadoc.Home>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, Dec 02, 2014 at 11:27:14AM -0500, Steve Lawrence wrote:
> Else blocks with optional statements are not supported in CIL.
> Currently, if the pp to CIL compiler comes across one of these in a pp
> module, it just drops the block and outputs a warning. Fortunately,
> these are very rare. In fact, this is the only place in refpolicy where
> an optional else block is used, and it is not clear if it is even
> needed. This patch is untested, and is more to spark discussions to see
> if there are any thoughts about whether or not this piece of policy is
> needed.
> 
> Signed-off-by: Steve Lawrence <slawrence@tresys.com>
> ---
>  policy/modules/system/sysnetwork.te | 3 ---
>  1 file changed, 3 deletions(-)
> 
> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
> index 705496d..ddb5a92 100644
> --- a/policy/modules/system/sysnetwork.te
> +++ b/policy/modules/system/sysnetwork.te
> @@ -195,9 +195,6 @@ optional_policy(`
>  optional_policy(`
>  	netutils_run_ping(dhcpc_t, dhcpc_roles)
>  	netutils_run(dhcpc_t, dhcpc_roles)
> -',`
> -	allow dhcpc_t self:capability setuid;
> -	allow dhcpc_t self:rawip_socket create_socket_perms;
>  ')
>  
>  optional_policy(`
> -- 
> 1.9.3

Hi Christopher,

I do not see this patch in the repo yet. Was it missed perhaps?

Thanks,
Jason