On 10/12/16 06:19, Jason Zaman wrote:
On 9 Dec 2016 16:29, "Robert Sharp" <[email protected]
<mailto:[email protected]>> wrote:
Just updated all my SELinux policies to 20161023-r1 as they are
now stable, which undid one little fix, so I thought I would
mention it.
Sysnetwork.te does not cover the possibility that dhcpcd may run
resolvconf from the dhcpc_script_t domain, which it seems is how
my dhcpcd works. This is fixed by adding:
optional_policy(`
resolvconf_client_domain(dhcpc_script_t)
')
to the dhcpc_script policy (end of the file). It seems like a
reasonable addition, given the same policy applies to the dhcpc_t
domain.
Not sure if this sort of proposal should be filed as a bug or just
raised here?
Robert Sharp
Can you file a bug on bugs.gentoo.org <http://bugs.gentoo.org> and say
this and also list the AVCs you get from audit.log?
I have already prepared the -r2 release just haven't pushed it to the
repo yet so I probably won't add to that cuz I don't want to do it
last min. The -r2 policies will be out as soon as I figure out why the
4.8 kernel isn't booting for me.
Thanks!
Jason
Hi Jason,
Just filing the bug and I realise I did not save any AVCs relating to
dhcpc_script_t, but only those for resolvconf itself. It would be useful
to include the former but to do that I need to unwind my locally patched
policy. I know I can use semodule -r to remove the patched module, but
how do I get the original policy re-instated given it is part of the
core? I guess I could create another local module from my git clone and
load that?
Thanks,
Robert
