From mboxrd@z Thu Jan  1 00:00:00 1970
From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 26 Sep 2013 08:38:45 -0400
Subject: [refpolicy] [PATCH 04/20] seutils: restorecon wants to read
 /run symbolic link
In-Reply-To: <1380029956-24978-1-git-send-email-dominick.grift@gmail.com>
References: <1380029956-24978-1-git-send-email-dominick.grift@gmail.com>
Message-ID: <52442AD5.5020701@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue 24 Sep 2013 09:39:16 AM EDT, Dominick Grift wrote:
> Do not audit attempts by fixfiles to read all symbolic links
>
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
>  policy/modules/system/selinuxutil.te | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
> index 5622246..ff19d75 100644
> --- a/policy/modules/system/selinuxutil.te
> +++ b/policy/modules/system/selinuxutil.te
> @@ -552,7 +552,7 @@ files_read_etc_runtime_files(setfiles_t)
>  files_read_etc_files(setfiles_t)
>  files_list_all(setfiles_t)
>  files_relabel_all_files(setfiles_t)
> -files_read_usr_symlinks(setfiles_t)
> +files_dontaudit_read_all_symlinks(setfiles_t)
>
>  fs_getattr_xattr_fs(setfiles_t)
>  fs_list_all(setfiles_t)

Can you further clarify this?  Setfiles hasn't changed much in years, 
so I'm unclear on why this change is necessary.

--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com