From mboxrd@z Thu Jan 1 00:00:00 1970 From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 27 Sep 2013 15:56:18 -0400 Subject: [refpolicy] [PATCH][v2] hostname: do not audit attempts by hostname to read and write dhcpc udp sockets (looks like a leaked fd) In-Reply-To: <1380270974-24144-1-git-send-email-dominick.grift@gmail.com> References: <1380270974-24144-1-git-send-email-dominick.grift@gmail.com> Message-ID: <5245E2E2.5030307@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri 27 Sep 2013 04:36:14 AM EDT, Dominick Grift wrote: > > Signed-off-by: Dominick Grift > diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te > index f6cbda9..380197b 100644 > --- a/policy/modules/system/hostname.te > +++ b/policy/modules/system/hostname.te > @@ -51,6 +51,7 @@ > > miscfiles_read_localization(hostname_t) > > +sysnet_dontaudit_rw_dhcpc_udp_sockets(hostname_t) > sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t) > sysnet_read_config(hostname_t) > sysnet_dns_name_resolve(hostname_t) > diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if > index fb0b50e..6df3dbe 100644 > --- a/policy/modules/system/sysnetwork.if > +++ b/policy/modules/system/sysnetwork.if > @@ -47,6 +47,25 @@ > > ######################################## > ## > +## Do not audit attempts to read and > +## write dhcpc udp socket descriptors. > +## > +## > +## > +## Domain to not audit. > +## > +## > +# > +interface(`sysnet_dontaudit_rw_dhcpc_udp_sockets',` > + gen_require(` > + type dhcpc_t; > + ') > + > + dontaudit $1 dhcpc_t:udp_socket { read write }; > +') > + > +######################################## > +## > ## Do not audit attempts to use > ## the dhcp file descriptors. > ## Merged. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com