From: russell@coker.com.au (Russell Coker)
Date: Thu, 20 Apr 2017 01:08:58 +1000
Subject: [refpolicy] [PATCH] second strict patch
In-Reply-To: <1492608168.4994.11.camel@trentalancia.net>
References: <20170419110059.edrv6goiv2xwrnvk@athena.coker.com.au>
	<1492608168.4994.11.camel@trentalancia.net>
Message-ID: <201704200108.58827.russell@coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 19 Apr 2017 11:22:48 PM Guido Trentalancia via refpolicy wrote:
> > +########################################
> > +## <summary>
> > +##      Get the attributes of a pstore filesystem.
> > +## </summary>
> > +## <param name="domain">
> > +##      <summary>
> > +##      Domain allowed access.
> > +##      </summary>
> > +## </param>
> > +#
> > +interface(`ZZZfs_getattr_pstorefs',`
> 
> The interface above has an odd name and however it is not being used
> anywhere, so you might probably need to remove it.

Yes.  When I see that a patch has something that shouldn't be there I edit it 
and put in ZZZ.  Then I apply the patch and use "quilt edit" to edit the 
source file in question to delete the unwanted part.  In this case I forgot to 
delete an interface.

> > --- refpolicy-2.20170419.orig/policy/modules/system/userdomain.if
> > +++ refpolicy-2.20170419/policy/modules/system/userdomain.if
> > @@ -67,6 +67,7 @@ template(`userdom_base_user_template',`
> >  	dontaudit $1_t user_tty_device_t:chr_file ioctl;
> >  
> >  	kernel_read_kernel_sysctls($1_t)
> > +	kernel_read_vm_sysctls($1_t)
> 
> What is this for ?

Not sure.  I'll remove it for more checks.  Maybe it should have been for 
overcommit.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/