| 1 |
On 10/12/16 06:19, Jason Zaman wrote: |
| 2 |
> |
| 3 |
> |
| 4 |
> On 9 Dec 2016 16:29, "Robert Sharp" <selinux@×××××××××××××××.org |
| 5 |
> <mailto:selinux@×××××××××××××××.org>> wrote: |
| 6 |
> |
| 7 |
> Just updated all my SELinux policies to 20161023-r1 as they are |
| 8 |
> now stable, which undid one little fix, so I thought I would |
| 9 |
> mention it. |
| 10 |
> |
| 11 |
> Sysnetwork.te does not cover the possibility that dhcpcd may run |
| 12 |
> resolvconf from the dhcpc_script_t domain, which it seems is how |
| 13 |
> my dhcpcd works. This is fixed by adding: |
| 14 |
> |
| 15 |
> optional_policy(` |
| 16 |
> resolvconf_client_domain(dhcpc_script_t) |
| 17 |
> ') |
| 18 |
> |
| 19 |
> to the dhcpc_script policy (end of the file). It seems like a |
| 20 |
> reasonable addition, given the same policy applies to the dhcpc_t |
| 21 |
> domain. |
| 22 |
> |
| 23 |
> Not sure if this sort of proposal should be filed as a bug or just |
| 24 |
> raised here? |
| 25 |
> |
| 26 |
> Robert Sharp |
| 27 |
> |
| 28 |
> Can you file a bug on bugs.gentoo.org <http://bugs.gentoo.org> and say |
| 29 |
> this and also list the AVCs you get from audit.log? |
| 30 |
> |
| 31 |
> I have already prepared the -r2 release just haven't pushed it to the |
| 32 |
> repo yet so I probably won't add to that cuz I don't want to do it |
| 33 |
> last min. The -r2 policies will be out as soon as I figure out why the |
| 34 |
> 4.8 kernel isn't booting for me. |
| 35 |
> |
| 36 |
> Thanks! |
| 37 |
> Jason |
| 38 |
> |
| 39 |
Hi Jason, |
| 40 |
|
| 41 |
Just filing the bug and I realise I did not save any AVCs relating to |
| 42 |
dhcpc_script_t, but only those for resolvconf itself. It would be useful |
| 43 |
to include the former but to do that I need to unwind my locally patched |
| 44 |
policy. I know I can use semodule -r to remove the patched module, but |
| 45 |
how do I get the original policy re-instated given it is part of the |
| 46 |
core? I guess I could create another local module from my git clone and |
| 47 |
load that? |
| 48 |
|
| 49 |
Thanks, |
| 50 |
|
| 51 |
Robert |
Archives