From mboxrd@z Thu Jan 1 00:00:00 1970 From: dominick.grift@gmail.com (Dominick Grift) Date: Fri, 27 Sep 2013 23:09:01 +0200 Subject: [refpolicy] [PATCH] sysnetwork: dhcpc binds socket to random high udp ports sysnetwork: do not audit attempts by ifconfig to read, and write dhcpc udp sockets (looks like a leaked fd) In-Reply-To: <5245F306.5090204@tresys.com> References: <1380274541-28793-1-git-send-email-dominick.grift@gmail.com> <5245F306.5090204@tresys.com> Message-ID: <1380316141.23967.6.camel@d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 2013-09-27 at 17:05 -0400, Christopher J. PeBenito wrote: > On Fri 27 Sep 2013 05:35:41 AM EDT, Dominick Grift wrote: > > > > Signed-off-by: Dominick Grift > > diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te > > index 9476a7e..9fbb331 100644 > > --- a/policy/modules/system/sysnetwork.te > > +++ b/policy/modules/system/sysnetwork.te > > @@ -111,7 +111,9 @@ > > corenet_udp_bind_dhcpc_port(dhcpc_t) > > corenet_tcp_connect_all_ports(dhcpc_t) > > corenet_sendrecv_dhcpd_client_packets(dhcpc_t) > > -corenet_sendrecv_dhcpc_server_packets(dhcpc_t) > > + > > +corenet_sendrecv_all_server_packets(dhcpc_t) > > +corenet_udp_bind_all_unreserved_ports(dhcpc_t) > > I'm anxious about allowing. Which dhcpc is doing this? dhclient this is also allowed on Fedora, seems very common i dont like it either but little we can do about it > > -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com