From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 12 Feb 2017 14:29:18 -0500
Subject: [refpolicy] [PATCH]
In-Reply-To: <20170212112445.me4fulajczfpulac@athena.coker.com.au>
References: <20170212112445.me4fulajczfpulac@athena.coker.com.au>
Message-ID: <972d1ef7-0e79-76ee-8aba-42fc00a663a4@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/12/17 06:24, Russell Coker via refpolicy wrote:
> Make modutils dependency optional for dpkg.te
>
>
> Index: refpolicy-2.20170212/policy/modules/contrib/dpkg.te
> ===================================================================
> --- refpolicy-2.20170212.orig/policy/modules/contrib/dpkg.te
> +++ refpolicy-2.20170212/policy/modules/contrib/dpkg.te
> @@ -183,13 +183,16 @@ domain_signull_all_domains(dpkg_t)
>  files_read_etc_runtime_files(dpkg_t)
>  files_exec_usr_files(dpkg_t)
>  miscfiles_read_localization(dpkg_t)
> -modutils_run_depmod(dpkg_t, dpkg_roles)
> -modutils_run_insmod(dpkg_t, dpkg_roles)
>  seutil_run_loadpolicy(dpkg_t, dpkg_roles)
>  seutil_run_setfiles(dpkg_t, dpkg_roles)
>  userdom_use_all_users_fds(dpkg_t)
>
>  optional_policy(`
> +	modutils_run_depmod(dpkg_t, dpkg_roles)
> +	modutils_run_insmod(dpkg_t, dpkg_roles)
> +')

Do you have any comments on the dpkg_t TODO block as a whole?  Does dpkg 
need all of this access?  If so, rules should move back up to the 
appropriate positions.


> +optional_policy(`
>  	mta_send_mail(dpkg_t)
>  ')
>  optional_policy(`
> @@ -287,8 +290,10 @@ logging_send_syslog_msg(dpkg_script_t)
>
>  miscfiles_read_localization(dpkg_script_t)
>
> -modutils_run_depmod(dpkg_script_t, dpkg_roles)
> -modutils_run_insmod(dpkg_script_t, dpkg_roles)
> +optional_policy(`
> +	modutils_run_depmod(dpkg_script_t, dpkg_roles)
> +	modutils_run_insmod(dpkg_script_t, dpkg_roles)
> +')

This new optional should go down above the mta_* optional block.





-- 
Chris PeBenito