Make modutils dependency optional for dpkg.te
Index: refpolicy-2.20170212/policy/modules/contrib/dpkg.te
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/contrib/dpkg.te
+++ refpolicy-2.20170212/policy/modules/contrib/dpkg.te
@@ -183,13 +183,16 @@ domain_signull_all_domains(dpkg_t)
files_read_etc_runtime_files(dpkg_t)
files_exec_usr_files(dpkg_t)
miscfiles_read_localization(dpkg_t)
-modutils_run_depmod(dpkg_t, dpkg_roles)
-modutils_run_insmod(dpkg_t, dpkg_roles)
seutil_run_loadpolicy(dpkg_t, dpkg_roles)
seutil_run_setfiles(dpkg_t, dpkg_roles)
userdom_use_all_users_fds(dpkg_t)
optional_policy(`
+ modutils_run_depmod(dpkg_t, dpkg_roles)
+ modutils_run_insmod(dpkg_t, dpkg_roles)
+')
+
+optional_policy(`
mta_send_mail(dpkg_t)
')
optional_policy(`
@@ -287,8 +290,10 @@ logging_send_syslog_msg(dpkg_script_t)
miscfiles_read_localization(dpkg_script_t)
-modutils_run_depmod(dpkg_script_t, dpkg_roles)
-modutils_run_insmod(dpkg_script_t, dpkg_roles)
+optional_policy(`
+ modutils_run_depmod(dpkg_script_t, dpkg_roles)
+ modutils_run_insmod(dpkg_script_t, dpkg_roles)
+')
seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
seutil_run_setfiles(dpkg_script_t, dpkg_roles)
On 02/12/17 06:24, Russell Coker via refpolicy wrote:
> Make modutils dependency optional for dpkg.te
>
>
> Index: refpolicy-2.20170212/policy/modules/contrib/dpkg.te
> ===================================================================
> --- refpolicy-2.20170212.orig/policy/modules/contrib/dpkg.te
> +++ refpolicy-2.20170212/policy/modules/contrib/dpkg.te
> @@ -183,13 +183,16 @@ domain_signull_all_domains(dpkg_t)
> files_read_etc_runtime_files(dpkg_t)
> files_exec_usr_files(dpkg_t)
> miscfiles_read_localization(dpkg_t)
> -modutils_run_depmod(dpkg_t, dpkg_roles)
> -modutils_run_insmod(dpkg_t, dpkg_roles)
> seutil_run_loadpolicy(dpkg_t, dpkg_roles)
> seutil_run_setfiles(dpkg_t, dpkg_roles)
> userdom_use_all_users_fds(dpkg_t)
>
> optional_policy(`
> + modutils_run_depmod(dpkg_t, dpkg_roles)
> + modutils_run_insmod(dpkg_t, dpkg_roles)
> +')
Do you have any comments on the dpkg_t TODO block as a whole? Does dpkg
need all of this access? If so, rules should move back up to the
appropriate positions.
> +optional_policy(`
> mta_send_mail(dpkg_t)
> ')
> optional_policy(`
> @@ -287,8 +290,10 @@ logging_send_syslog_msg(dpkg_script_t)
>
> miscfiles_read_localization(dpkg_script_t)
>
> -modutils_run_depmod(dpkg_script_t, dpkg_roles)
> -modutils_run_insmod(dpkg_script_t, dpkg_roles)
> +optional_policy(`
> + modutils_run_depmod(dpkg_script_t, dpkg_roles)
> + modutils_run_insmod(dpkg_script_t, dpkg_roles)
> +')
This new optional should go down above the mta_* optional block.
--
Chris PeBenito