From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 12 Feb 2017 14:29:18 -0500 Subject: [refpolicy] [PATCH] In-Reply-To: <20170212112445.me4fulajczfpulac@athena.coker.com.au> References: <20170212112445.me4fulajczfpulac@athena.coker.com.au> Message-ID: <972d1ef7-0e79-76ee-8aba-42fc00a663a4@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/12/17 06:24, Russell Coker via refpolicy wrote: > Make modutils dependency optional for dpkg.te > > > Index: refpolicy-2.20170212/policy/modules/contrib/dpkg.te > =================================================================== > --- refpolicy-2.20170212.orig/policy/modules/contrib/dpkg.te > +++ refpolicy-2.20170212/policy/modules/contrib/dpkg.te > @@ -183,13 +183,16 @@ domain_signull_all_domains(dpkg_t) > files_read_etc_runtime_files(dpkg_t) > files_exec_usr_files(dpkg_t) > miscfiles_read_localization(dpkg_t) > -modutils_run_depmod(dpkg_t, dpkg_roles) > -modutils_run_insmod(dpkg_t, dpkg_roles) > seutil_run_loadpolicy(dpkg_t, dpkg_roles) > seutil_run_setfiles(dpkg_t, dpkg_roles) > userdom_use_all_users_fds(dpkg_t) > > optional_policy(` > + modutils_run_depmod(dpkg_t, dpkg_roles) > + modutils_run_insmod(dpkg_t, dpkg_roles) > +') Do you have any comments on the dpkg_t TODO block as a whole? Does dpkg need all of this access? If so, rules should move back up to the appropriate positions. > +optional_policy(` > mta_send_mail(dpkg_t) > ') > optional_policy(` > @@ -287,8 +290,10 @@ logging_send_syslog_msg(dpkg_script_t) > > miscfiles_read_localization(dpkg_script_t) > > -modutils_run_depmod(dpkg_script_t, dpkg_roles) > -modutils_run_insmod(dpkg_script_t, dpkg_roles) > +optional_policy(` > + modutils_run_depmod(dpkg_script_t, dpkg_roles) > + modutils_run_insmod(dpkg_script_t, dpkg_roles) > +') This new optional should go down above the mta_* optional block. -- Chris PeBenito