Would you like me to resubmit those patches or would you rather just add them
with the changes you suggest?
On Thursday, 3 January 2019 10:52:55 AM AEDT Chris PeBenito wrote:
> On 1/2/19 3:40 AM, Russell Coker wrote:
> > Lots of little things that are self-explanatory.
> >
> > Boinc has some unusual stuff for lsb_release -a and for mmaping
> > ld.so.cache.
> >
> > Remove obsolete policy from syncthing as we have it in
> > sysnet_dns_name_resolve().
>
> [...]
>
> > Index: refpolicy-2.20180701/policy/modules/services/boinc.te
> > ===================================================================
> > --- refpolicy-2.20180701.orig/policy/modules/services/boinc.te
> > +++ refpolicy-2.20180701/policy/modules/services/boinc.te
>
> [...]
>
> > @@ -169,7 +173,7 @@ optional_policy(`
> >
> > #
> >
> > allow boinc_project_t self:capability { setgid setuid };
> >
> > -allow boinc_project_t self:process { execmem execstack noatsecure ptrace
> > setcap getcap setpgid setsched signal_perms }; +allow boinc_project_t
> > self:process { execmem execstack noatsecure ptrace setcap getcap setpgid
> > setsched signal signal_perms };
> This change shouldn't be necessary since signal is already in signal_perms.
>
> [...]
>
> > --- refpolicy-2.20180701.orig/policy/modules/system/authlogin.if
> > +++ refpolicy-2.20180701/policy/modules/system/authlogin.if
> > @@ -823,6 +823,25 @@ interface(`auth_append_lastlog',`
> >
> > #######################################
> > ## <summary>
> >
> > +## relabel the last logins log.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`auth_relabel_lastlog',`
> > + gen_require(`
> > + type lastlog_t;
> > + ')
> > +
> > + logging_search_logs($1)
> > + allow $1 lastlog_t:file { relabelfrom relabelto };
> > +')
> > +
> > +#######################################
> > +## <summary>
> >
> > ## Read and write to the last logins log.
> > ## </summary>
> > ## <param name="domain">
> >
> > @@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',`
> >
> > ')
> >
> > ########################################
> >
> > +## <summary>
> > +## Manage the last logins log.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`auth_manage_lastlog',`
> > + gen_require(`
> > + type lastlog_t;
> > + ')
> > +
> > + allow $1 lastlog_t:file { relabelfrom relabelto manage_file_perms };
>
> The relabel perms shouldn't be in here. I'd say split it into a new
> interface, but you're adding the other interface earlier in the patch.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
