[refpolicy] duplicate rules

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] duplicate rules
@ 2010-07-05  7:36 Russell Coker
  2010-07-06 12:13 ` Christopher J. PeBenito
  0 siblings, 1 reply; 4+ messages in thread
From: Russell Coker @ 2010-07-05  7:36 UTC (permalink / raw)
  To: refpolicy

The following lines are duplicate in the reference policy.  I generated this 
via grep/sort/uniq and then manually verified them all.

modules/apps/ethereal.te:corecmd_search_bin(ethereal_t)
modules/apps/gift.te:kernel_read_system_state(giftd_t)
modules/apps/java.te:files_read_etc_files(java_t)
modules/apps/java.te:       init_dbus_chat_script(unconfined_java_t)
modules/apps/wireshark.te:corecmd_search_bin(wireshark_t)
modules/services/clamav.te:manage_dirs_pattern(clamd_t, clamd_var_log_t, 
clamd_var_log_t)
modules/services/courier.te:allow courier_authdaemon_t courier_tcpd_t:fd use;
modules/services/djbdns.te:files_config_file(djbdns_axfrdns_conf_t)
modules/services/prelude.te:files_search_tmp(prelude_t)
modules/services/xserver.te:xserver_unconfined(xdm_t)
modules/services/xserver.te:xserver_use_user_fonts(xserver_t)
modules/system/init.te:corecmd_exec_all_executables(initrc_t)
modules/system/init.te:domain_sigstop_all_domains(initrc_t)
modules/system/init.te:domain_sigstop_all_domains(init_t)
modules/system/logging.te:files_pid_filetrans(syslogd_t, syslogd_var_run_t, 
file)
modules/system/lvm.te:kernel_read_kernel_sysctls(lvm_t)
modules/system/xen.te:term_use_console(xenconsoled_t)


For modules/services/lpd.te the following line is unconditionally included as 
well as being in two tunable sections.
        files_list_home(lpr_t)

modules/services/ricci.te has the following duplicated optional section:
optional_policy(`
        rgmanager_stream_connect(ricci_modclusterd_t)
')

modules/services/ssh.te has most of the local policy for ssh_keygen 
duplicated.

modules/services/virt.te has the following optional section duplicated:

optional_policy(`
        xen_rw_image_files(svirt_t)
')

modules/system/sysnetwork.te has the following, at the minimum it seems to be 
a duplication of netutils_domtrans(dhcpc_t), and as an aside I didn't 
previously realist that optional_policy() had an else clause...

# for the dhcp client to run ping to check IP addresses
optional_policy(`
        netutils_domtrans_ping(dhcpc_t)
        netutils_domtrans(dhcpc_t)
',`
        allow dhcpc_t self:capability setuid;
        allow dhcpc_t self:rawip_socket create_socket_perms;
')

optional_policy(`
        netutils_domtrans(dhcpc_t)
')


I can send you a patch to remove the dupes if you wish.

-- 
russell at coker.com.au
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [refpolicy] duplicate rules
  2010-07-05  7:36 [refpolicy] duplicate rules Russell Coker
@ 2010-07-06 12:13 ` Christopher J. PeBenito
  2010-07-06 22:05   ` Russell Coker
  0 siblings, 1 reply; 4+ messages in thread
From: Christopher J. PeBenito @ 2010-07-06 12:13 UTC (permalink / raw)
  To: refpolicy

On 07/05/10 03:36, Russell Coker wrote:
> The following lines are duplicate in the reference policy.  I generated this
> via grep/sort/uniq and then manually verified them all.
>
> modules/apps/ethereal.te:corecmd_search_bin(ethereal_t)
> modules/apps/gift.te:kernel_read_system_state(giftd_t)
> modules/apps/java.te:files_read_etc_files(java_t)
> modules/apps/java.te:       init_dbus_chat_script(unconfined_java_t)
> modules/apps/wireshark.te:corecmd_search_bin(wireshark_t)
> modules/services/clamav.te:manage_dirs_pattern(clamd_t, clamd_var_log_t,
> clamd_var_log_t)
> modules/services/courier.te:allow courier_authdaemon_t courier_tcpd_t:fd use;
> modules/services/djbdns.te:files_config_file(djbdns_axfrdns_conf_t)
> modules/services/prelude.te:files_search_tmp(prelude_t)
> modules/services/xserver.te:xserver_unconfined(xdm_t)
> modules/services/xserver.te:xserver_use_user_fonts(xserver_t)
> modules/system/init.te:corecmd_exec_all_executables(initrc_t)
> modules/system/init.te:domain_sigstop_all_domains(initrc_t)
> modules/system/init.te:domain_sigstop_all_domains(init_t)
> modules/system/logging.te:files_pid_filetrans(syslogd_t, syslogd_var_run_t,
> file)
> modules/system/lvm.te:kernel_read_kernel_sysctls(lvm_t)
> modules/system/xen.te:term_use_console(xenconsoled_t)
>
>
> For modules/services/lpd.te the following line is unconditionally included as
> well as being in two tunable sections.
>          files_list_home(lpr_t)
>
> modules/services/ricci.te has the following duplicated optional section:
> optional_policy(`
>          rgmanager_stream_connect(ricci_modclusterd_t)
> ')
>
> modules/services/ssh.te has most of the local policy for ssh_keygen
> duplicated.
>
> modules/services/virt.te has the following optional section duplicated:
>
> optional_policy(`
>          xen_rw_image_files(svirt_t)
> ')
>
> modules/system/sysnetwork.te has the following, at the minimum it seems to be
> a duplication of netutils_domtrans(dhcpc_t), and as an aside I didn't
> previously realist that optional_policy() had an else clause...
>
> # for the dhcp client to run ping to check IP addresses
> optional_policy(`
>          netutils_domtrans_ping(dhcpc_t)
>          netutils_domtrans(dhcpc_t)
> ',`
>          allow dhcpc_t self:capability setuid;
>          allow dhcpc_t self:rawip_socket create_socket_perms;
> ')
>
> optional_policy(`
>          netutils_domtrans(dhcpc_t)
> ')
>
>
> I can send you a patch to remove the dupes if you wish.

Yes, please.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [refpolicy] duplicate rules
  2010-07-06 12:13 ` Christopher J. PeBenito
@ 2010-07-06 22:05   ` Russell Coker
  2010-07-07 12:42     ` Christopher J. PeBenito
  0 siblings, 1 reply; 4+ messages in thread
From: Russell Coker @ 2010-07-06 22:05 UTC (permalink / raw)
  To: refpolicy

On Tue, 6 Jul 2010, "Christopher J. PeBenito" <cpebenito@tresys.com> wrote:
> > I can send you a patch to remove the dupes if you wish.
> 
> Yes, please.

Attached.

-- 
russell at coker.com.au
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog
-------------- next part --------------
A non-text attachment was scrubbed...
Name: diff
Type: text/x-patch
Size: 11395 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100707/0cb8849f/attachment.bin 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [refpolicy] duplicate rules
  2010-07-06 22:05   ` Russell Coker
@ 2010-07-07 12:42     ` Christopher J. PeBenito
  0 siblings, 0 replies; 4+ messages in thread
From: Christopher J. PeBenito @ 2010-07-07 12:42 UTC (permalink / raw)
  To: refpolicy

On 07/06/10 18:05, Russell Coker wrote:
> On Tue, 6 Jul 2010, "Christopher J. PeBenito"<cpebenito@tresys.com>  wrote:
>>> I can send you a patch to remove the dupes if you wish.
>>
>> Yes, please.
>
> Attached.

I tweaked a couple of places where I wanted to switch which instance was 
kept.  Otherwise merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2010-07-07 12:42 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-07-05  7:36 [refpolicy] duplicate rules Russell Coker
2010-07-06 12:13 ` Christopher J. PeBenito
2010-07-06 22:05   ` Russell Coker
2010-07-07 12:42     ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.