[refpolicy] [PATCH 28/34]: patch to allow reading hal pid files from ifconfig

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH 28/34]: patch to allow reading hal pid files from ifconfig_t
@ 2011-02-16  6:34 Guido Trentalancia
  2011-02-28 14:47 ` Christopher J. PeBenito
  0 siblings, 1 reply; 5+ messages in thread
From: Guido Trentalancia @ 2011-02-16  6:34 UTC (permalink / raw)
  To: refpolicy

This patch allows to read hal pid files from the ifconfig_t
context.

diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/system/sysnetwork.te refpolicy-git-15022011-new-modified/policy/modules/system/sysnetwork.te
--- refpolicy-git-15022011-new-before-modification/policy/modules/system/sysnetwork.te	2011-01-08 19:07:21.363760466 +0100
+++ refpolicy-git-15022011-new-modified/policy/modules/system/sysnetwork.te	2011-02-15 23:28:42.843164809 +0100
@@ -327,6 +327,7 @@ ifdef(`hide_broken_symptoms',`
 optional_policy(`
 	hal_dontaudit_rw_pipes(ifconfig_t)
 	hal_dontaudit_rw_dgram_sockets(ifconfig_t)
+	hal_read_pid_files(ifconfig_t)
 ')
 
 optional_policy(`

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH 28/34]: patch to allow reading hal pid files from ifconfig_t
  2011-02-16  6:34 [refpolicy] [PATCH 28/34]: patch to allow reading hal pid files from ifconfig_t Guido Trentalancia
@ 2011-02-28 14:47 ` Christopher J. PeBenito
  2011-02-28 15:52   ` Miroslav Grepl
  2011-02-28 18:26   ` Guido Trentalancia
  0 siblings, 2 replies; 5+ messages in thread
From: Christopher J. PeBenito @ 2011-02-28 14:47 UTC (permalink / raw)
  To: refpolicy

On 02/16/11 01:34, Guido Trentalancia wrote:
> This patch allows to read hal pid files from the ifconfig_t
> context.
> 
> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/system/sysnetwork.te refpolicy-git-15022011-new-modified/policy/modules/system/sysnetwork.te
> --- refpolicy-git-15022011-new-before-modification/policy/modules/system/sysnetwork.te	2011-01-08 19:07:21.363760466 +0100
> +++ refpolicy-git-15022011-new-modified/policy/modules/system/sysnetwork.te	2011-02-15 23:28:42.843164809 +0100
> @@ -327,6 +327,7 @@ ifdef(`hide_broken_symptoms',`
>  optional_policy(`
>  	hal_dontaudit_rw_pipes(ifconfig_t)
>  	hal_dontaudit_rw_dgram_sockets(ifconfig_t)
> +	hal_read_pid_files(ifconfig_t)
>  ')
>  
>  optional_policy(`

Why would this be necessary?  Are you sure its not another leak
(especially considering the other dontaudits)?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH 28/34]: patch to allow reading hal pid files from ifconfig_t
  2011-02-28 14:47 ` Christopher J. PeBenito
@ 2011-02-28 15:52   ` Miroslav Grepl
  2011-02-28 18:26   ` Guido Trentalancia
  1 sibling, 0 replies; 5+ messages in thread
From: Miroslav Grepl @ 2011-02-28 15:52 UTC (permalink / raw)
  To: refpolicy

On 02/28/2011 02:47 PM, Christopher J. PeBenito wrote:
> On 02/16/11 01:34, Guido Trentalancia wrote:
>> This patch allows to read hal pid files from the ifconfig_t
>> context.
>>
>> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/system/sysnetwork.te refpolicy-git-15022011-new-modified/policy/modules/system/sysnetwork.te
>> --- refpolicy-git-15022011-new-before-modification/policy/modules/system/sysnetwork.te	2011-01-08 19:07:21.363760466 +0100
>> +++ refpolicy-git-15022011-new-modified/policy/modules/system/sysnetwork.te	2011-02-15 23:28:42.843164809 +0100
>> @@ -327,6 +327,7 @@ ifdef(`hide_broken_symptoms',`
>>   optional_policy(`
>>   	hal_dontaudit_rw_pipes(ifconfig_t)
>>   	hal_dontaudit_rw_dgram_sockets(ifconfig_t)
>> +	hal_read_pid_files(ifconfig_t)
>>   ')
>>
>>   optional_policy(`
> Why would this be necessary?  Are you sure its not another leak
> (especially considering the other dontaudits)?
>
We have in Fedora

hal_dontaudit_read_pid_files(ifconfig_t)

AFAIK this is a leak.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH 28/34]: patch to allow reading hal pid files from ifconfig_t
  2011-02-28 14:47 ` Christopher J. PeBenito
  2011-02-28 15:52   ` Miroslav Grepl
@ 2011-02-28 18:26   ` Guido Trentalancia
  2011-02-28 18:39     ` Daniel J Walsh
  1 sibling, 1 reply; 5+ messages in thread
From: Guido Trentalancia @ 2011-02-28 18:26 UTC (permalink / raw)
  To: refpolicy

On Mon, 28/02/2011 at 09.47 -0500, Christopher J. PeBenito wrote:
> On 02/16/11 01:34, Guido Trentalancia wrote:
> > This patch allows to read hal pid files from the ifconfig_t
> > context.
> > 
> > diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/system/sysnetwork.te refpolicy-git-15022011-new-modified/policy/modules/system/sysnetwork.te
> > --- refpolicy-git-15022011-new-before-modification/policy/modules/system/sysnetwork.te	2011-01-08 19:07:21.363760466 +0100
> > +++ refpolicy-git-15022011-new-modified/policy/modules/system/sysnetwork.te	2011-02-15 23:28:42.843164809 +0100
> > @@ -327,6 +327,7 @@ ifdef(`hide_broken_symptoms',`
> >  optional_policy(`
> >  	hal_dontaudit_rw_pipes(ifconfig_t)
> >  	hal_dontaudit_rw_dgram_sockets(ifconfig_t)
> > +	hal_read_pid_files(ifconfig_t)
> >  ')
> >  
> >  optional_policy(`
> 
> Why would this be necessary?  Are you sure its not another leak
> (especially considering the other dontaudits)?

Yes, that is not strictly necessary. What do you mean exactly for a
leak ?

Regards,

Guido

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH 28/34]: patch to allow reading hal pid files from ifconfig_t
  2011-02-28 18:26   ` Guido Trentalancia
@ 2011-02-28 18:39     ` Daniel J Walsh
  0 siblings, 0 replies; 5+ messages in thread
From: Daniel J Walsh @ 2011-02-28 18:39 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/28/2011 01:26 PM, Guido Trentalancia wrote:
> On Mon, 28/02/2011 at 09.47 -0500, Christopher J. PeBenito wrote:
>> On 02/16/11 01:34, Guido Trentalancia wrote:
>>> This patch allows to read hal pid files from the ifconfig_t
>>> context.
>>>
>>> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/system/sysnetwork.te refpolicy-git-15022011-new-modified/policy/modules/system/sysnetwork.te
>>> --- refpolicy-git-15022011-new-before-modification/policy/modules/system/sysnetwork.te	2011-01-08 19:07:21.363760466 +0100
>>> +++ refpolicy-git-15022011-new-modified/policy/modules/system/sysnetwork.te	2011-02-15 23:28:42.843164809 +0100
>>> @@ -327,6 +327,7 @@ ifdef(`hide_broken_symptoms',`
>>>  optional_policy(`
>>>  	hal_dontaudit_rw_pipes(ifconfig_t)
>>>  	hal_dontaudit_rw_dgram_sockets(ifconfig_t)
>>> +	hal_read_pid_files(ifconfig_t)
>>>  ')
>>>  
>>>  optional_policy(`
>>
>> Why would this be necessary?  Are you sure its not another leak
>> (especially considering the other dontaudits)?
> 
> Yes, that is not strictly necessary. What do you mean exactly for a
> leak ?
> 
> Regards,
> 
> Guido
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

http://danwalsh.livejournal.com/6117.html?thread=16613
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1r6+QACgkQrlYvE4MpobMQlgCgsXvKbJOASK9hh8uMWPFTF1Jz
etAAnRn6N7mpw/QkcDj78XWq5eC3aHCa
=J1QJ
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2011-02-28 18:39 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-02-16  6:34 [refpolicy] [PATCH 28/34]: patch to allow reading hal pid files from ifconfig_t Guido Trentalancia
2011-02-28 14:47 ` Christopher J. PeBenito
2011-02-28 15:52   ` Miroslav Grepl
2011-02-28 18:26   ` Guido Trentalancia
2011-02-28 18:39     ` Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.