blob: edba56d27679c78e95d3d29b0ece9fc02c7ba5cb (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
From 0857061b58e5ec0bf00e78839254f21519ed55d4 Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@gmail.com>
Date: Fri, 27 Sep 2013 10:36:14 +0200
Subject: [PATCH] hostname: do not audit attempts by hostname to read and
write dhcpc udp sockets (looks like a leaked fd)
Upstream-Status: backport
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/hostname.te | 1 +
policy/modules/system/sysnetwork.if | 19 +++++++++++++++++++
2 files changed, 20 insertions(+)
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index f6cbda9..380197b 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
@@ -51,6 +51,7 @@ logging_send_syslog_msg(hostname_t)
miscfiles_read_localization(hostname_t)
+sysnet_dontaudit_rw_dhcpc_udp_sockets(hostname_t)
sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
sysnet_read_config(hostname_t)
sysnet_dns_name_resolve(hostname_t)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 52b548c..2cea692 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -47,6 +47,25 @@ interface(`sysnet_run_dhcpc',`
########################################
## <summary>
+## Do not audit attempts to read and
+## write dhcpc udp socket descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sysnet_dontaudit_rw_dhcpc_udp_sockets',`
+ gen_require(`
+ type dhcpc_t;
+ ')
+
+ dontaudit $1 dhcpc_t:udp_socket { read write };
+')
+
+########################################
+## <summary>
## Do not audit attempts to use
## the dhcp file descriptors.
## </summary>
--
1.7.10.4
|