summaryrefslogtreecommitdiffstats
path: root/recipes-security/refpolicy/refpolicy-2.20130424/hostname-do-not-audit-attempts-by-hostname-to-read-a.patch
blob: edba56d27679c78e95d3d29b0ece9fc02c7ba5cb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
From 0857061b58e5ec0bf00e78839254f21519ed55d4 Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@gmail.com>
Date: Fri, 27 Sep 2013 10:36:14 +0200
Subject: [PATCH] hostname: do not audit attempts by hostname to read and
 write dhcpc udp sockets (looks like a leaked fd)

Upstream-Status: backport

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 policy/modules/system/hostname.te   |    1 +
 policy/modules/system/sysnetwork.if |   19 +++++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index f6cbda9..380197b 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
@@ -51,6 +51,7 @@ logging_send_syslog_msg(hostname_t)
 
 miscfiles_read_localization(hostname_t)
 
+sysnet_dontaudit_rw_dhcpc_udp_sockets(hostname_t)
 sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
 sysnet_read_config(hostname_t)
 sysnet_dns_name_resolve(hostname_t)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 52b548c..2cea692 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -47,6 +47,25 @@ interface(`sysnet_run_dhcpc',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to read and
+##	write dhcpc udp socket descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sysnet_dontaudit_rw_dhcpc_udp_sockets',`
+	gen_require(`
+		type dhcpc_t;
+	')
+
+	dontaudit $1 dhcpc_t:udp_socket { read write };
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to use
 ##	the dhcp file descriptors.
 ## </summary>
-- 
1.7.10.4