[refpolicy] duplicate rules

Christopher J. PeBenito cpebenito at tresys.com
Tue Jul 6 07:13:55 CDT 2010 

On 07/05/10 03:36, Russell Coker wrote:
> The following lines are duplicate in the reference policy.  I generated this
> via grep/sort/uniq and then manually verified them all.
>
> modules/apps/ethereal.te:corecmd_search_bin(ethereal_t)
> modules/apps/gift.te:kernel_read_system_state(giftd_t)
> modules/apps/java.te:files_read_etc_files(java_t)
> modules/apps/java.te:       init_dbus_chat_script(unconfined_java_t)
> modules/apps/wireshark.te:corecmd_search_bin(wireshark_t)
> modules/services/clamav.te:manage_dirs_pattern(clamd_t, clamd_var_log_t,
> clamd_var_log_t)
> modules/services/courier.te:allow courier_authdaemon_t courier_tcpd_t:fd use;
> modules/services/djbdns.te:files_config_file(djbdns_axfrdns_conf_t)
> modules/services/prelude.te:files_search_tmp(prelude_t)
> modules/services/xserver.te:xserver_unconfined(xdm_t)
> modules/services/xserver.te:xserver_use_user_fonts(xserver_t)
> modules/system/init.te:corecmd_exec_all_executables(initrc_t)
> modules/system/init.te:domain_sigstop_all_domains(initrc_t)
> modules/system/init.te:domain_sigstop_all_domains(init_t)
> modules/system/logging.te:files_pid_filetrans(syslogd_t, syslogd_var_run_t,
> file)
> modules/system/lvm.te:kernel_read_kernel_sysctls(lvm_t)
> modules/system/xen.te:term_use_console(xenconsoled_t)
>
>
> For modules/services/lpd.te the following line is unconditionally included as
> well as being in two tunable sections.
>          files_list_home(lpr_t)
>
> modules/services/ricci.te has the following duplicated optional section:
> optional_policy(`
>          rgmanager_stream_connect(ricci_modclusterd_t)
> ')
>
> modules/services/ssh.te has most of the local policy for ssh_keygen
> duplicated.
>
> modules/services/virt.te has the following optional section duplicated:
>
> optional_policy(`
>          xen_rw_image_files(svirt_t)
> ')
>
> modules/system/sysnetwork.te has the following, at the minimum it seems to be
> a duplication of netutils_domtrans(dhcpc_t), and as an aside I didn't
> previously realist that optional_policy() had an else clause...
>
> # for the dhcp client to run ping to check IP addresses
> optional_policy(`
>          netutils_domtrans_ping(dhcpc_t)
>          netutils_domtrans(dhcpc_t)
> ',`
>          allow dhcpc_t self:capability setuid;
>          allow dhcpc_t self:rawip_socket create_socket_perms;
> ')
>
> optional_policy(`
>          netutils_domtrans(dhcpc_t)
> ')
>
>
> I can send you a patch to remove the dupes if you wish.

Yes, please.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

More information about the refpolicy mailing list