commit: b3c2077a4cbaefff55da8c50baf3a8e24c1f0c67
Author: Steve Lawrence <slawrence <AT> tresys <DOT> com>
AuthorDate: Tue Dec 2 16:27:14 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 29 20:49:31 2015 +0000
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b3c2077a
Remove optional else block for dhcp ping
Else blocks with optional statements are not supported in CIL.
Currently, if the pp to CIL compiler comes across one of these in a pp
module, it just drops the block and outputs a warning. Fortunately,
these are very rare. In fact, this is the only place in refpolicy where
an optional else block is used, and it is not clear if it is even
needed. This patch is untested, and is more to spark discussions to see
if there are any thoughts about whether or not this piece of policy is
needed.
Signed-off-by: Steve Lawrence <slawrence <AT> tresys.com>
---
policy/modules/system/sysnetwork.te | 3 ---
1 file changed, 3 deletions(-)
diff --git a/policy/modules/system/sysnetwork.te
b/policy/modules/system/sysnetwork.te
index e5c63d6..0e8ff59 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -197,9 +197,6 @@ optional_policy(`
optional_policy(`
netutils_run_ping(dhcpc_t, dhcpc_roles)
netutils_run(dhcpc_t, dhcpc_roles)
-',`
- allow dhcpc_t self:capability setuid;
- allow dhcpc_t self:rawip_socket create_socket_perms;
')
optional_policy(`
