1 |
On 10/12/16 06:19, Jason Zaman wrote: |
2 |
> |
3 |
> |
4 |
> On 9 Dec 2016 16:29, "Robert Sharp" <selinux@×××××××××××××××.org |
5 |
> <mailto:selinux@×××××××××××××××.org>> wrote: |
6 |
> |
7 |
> Just updated all my SELinux policies to 20161023-r1 as they are |
8 |
> now stable, which undid one little fix, so I thought I would |
9 |
> mention it. |
10 |
> |
11 |
> Sysnetwork.te does not cover the possibility that dhcpcd may run |
12 |
> resolvconf from the dhcpc_script_t domain, which it seems is how |
13 |
> my dhcpcd works. This is fixed by adding: |
14 |
> |
15 |
> optional_policy(` |
16 |
> resolvconf_client_domain(dhcpc_script_t) |
17 |
> ') |
18 |
> |
19 |
> to the dhcpc_script policy (end of the file). It seems like a |
20 |
> reasonable addition, given the same policy applies to the dhcpc_t |
21 |
> domain. |
22 |
> |
23 |
> Not sure if this sort of proposal should be filed as a bug or just |
24 |
> raised here? |
25 |
> |
26 |
> Robert Sharp |
27 |
> |
28 |
> Can you file a bug on bugs.gentoo.org <http://bugs.gentoo.org> and say |
29 |
> this and also list the AVCs you get from audit.log? |
30 |
> |
31 |
> I have already prepared the -r2 release just haven't pushed it to the |
32 |
> repo yet so I probably won't add to that cuz I don't want to do it |
33 |
> last min. The -r2 policies will be out as soon as I figure out why the |
34 |
> 4.8 kernel isn't booting for me. |
35 |
> |
36 |
> Thanks! |
37 |
> Jason |
38 |
> |
39 |
Hi Jason, |
40 |
|
41 |
Just filing the bug and I realise I did not save any AVCs relating to |
42 |
dhcpc_script_t, but only those for resolvconf itself. It would be useful |
43 |
to include the former but to do that I need to unwind my locally patched |
44 |
policy. I know I can use semodule -r to remove the patched module, but |
45 |
how do I get the original policy re-instated given it is part of the |
46 |
core? I guess I could create another local module from my git clone and |
47 |
load that? |
48 |
|
49 |
Thanks, |
50 |
|
51 |
Robert |