From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-810286-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id EE60C138CD3
	for <garchives@archives.gentoo.org>; Tue,  9 Jun 2015 13:24:40 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 67776E08A8;
	Tue,  9 Jun 2015 13:24:28 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 98EF4E08A6
	for <gentoo-commits@lists.gentoo.org>; Tue,  9 Jun 2015 13:24:27 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id D30A4340ADD
	for <gentoo-commits@lists.gentoo.org>; Tue,  9 Jun 2015 13:24:21 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id EABF7A32
	for <gentoo-commits@lists.gentoo.org>; Tue,  9 Jun 2015 13:24:18 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1433668740.abcbaf9dd3597c68f75999fb3f755dd4c158e3d4.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/admin/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/admin/netutils.te
X-VCS-Directories: policy/modules/admin/
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: abcbaf9dd3597c68f75999fb3f755dd4c158e3d4
X-VCS-Branch: swift
Date: Tue,  9 Jun 2015 13:24:18 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 4d0c9c46-ef5d-44b6-8ee3-6fc9cf0959e3
X-Archives-Hash: 51ed96dbb60d4d4b8a19c27c2d0e367c
Message-ID: <20150609132418.XLm3XmBx9abP4OKvD8VgfZ7DYhqliDR9rqWrU34Nn7Y@z>

commit:     abcbaf9dd3597c68f75999fb3f755dd4c158e3d4
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Jun  7 09:19:00 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jun  7 09:19:00 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=abcbaf9d

Fix bug 535988 - Do not audit device reads when invoking tcpdump

Occurs when invoking tcpdump without any options:

~# tcpdump

Denials:

time->Sun Jun  7 10:52:50 2015
type=AVC msg=audit(1433667170.527:83): avc:  denied  { read } for
pid=17708 comm="tcpdump" name="usbmon4" dev="devtmpfs" ino=163
scontext=staff_u:sysadm_r:netutils_t:s0
tcontext=system_u:object_r:usbmon_device_t:s0 tclass=chr_file
permissive=0

time->Sun Jun  7 10:52:50 2015
type=AVC msg=audit(1433667170.527:84): avc:  denied  { search } for
pid=17708 comm="tcpdump" name="/" dev="debugfs" ino=1
scontext=staff_u:sysadm_r:netutils_t:s0
tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=0

X-Gentoo-Bug: 535988

 policy/modules/admin/netutils.te | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index b8169a8..54e1603 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -216,3 +216,14 @@ userdom_use_user_terminals(traceroute_t)
 dev_read_rand(traceroute_t)
 dev_read_urand(traceroute_t)
 files_read_usr_files(traceroute_t)
+
+ifdef(`distro_gentoo',`
+	########################################
+	# 
+	# netutils_t policy updates
+	#
+
+	# Fix bug 535988
+	kernel_dontaudit_search_debugfs(netutils_t)
+	dev_dontaudit_read_usbmon_dev(netutils_t)	
+')