This is for /proc/sys/vm/overcommit_memory, I noticed there is some discussion
about doing this in another way for many daemons as it's apparently a glibc
issue. Maybe don't apply this depending on how that discussion goes.
diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/bind.te ./policy/modules/contrib/bind.te
--- /home/rjc/src/pol-git/policy/modules/contrib/bind.te 2016-07-30 08:14:41.077649338 +1000
+++ ./policy/modules/contrib/bind.te 2016-07-31 19:34:55.362849944 +1000
@@ -110,6 +110,7 @@
read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
kernel_read_kernel_sysctls(named_t)
+kernel_read_vm_sysctls(named_t)
kernel_read_system_state(named_t)
kernel_read_network_state(named_t)
On 07/31/16 05:37, Russell Coker wrote:
> This is for /proc/sys/vm/overcommit_memory, I noticed there is some discussion
> about doing this in another way for many daemons as it's apparently a glibc
> issue. Maybe don't apply this depending on how that discussion goes.
>
>
> diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/bind.te ./policy/modules/contrib/bind.te
> --- /home/rjc/src/pol-git/policy/modules/contrib/bind.te 2016-07-30 08:14:41.077649338 +1000
> +++ ./policy/modules/contrib/bind.te 2016-07-31 19:34:55.362849944 +1000
> @@ -110,6 +110,7 @@
> read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
>
> kernel_read_kernel_sysctls(named_t)
> +kernel_read_vm_sysctls(named_t)
> kernel_read_system_state(named_t)
> kernel_read_network_state(named_t)
Yes, there is a kernel_read_vm_overcommit_sysctl().
--
Chris PeBenito
On Wed, 3 Aug 2016 09:43:18 AM Chris PeBenito wrote:
> > kernel_read_kernel_sysctls(named_t)
> >
> > +kernel_read_vm_sysctls(named_t)
> >
> > kernel_read_system_state(named_t)
> > kernel_read_network_state(named_t)
>
> Yes, there is a kernel_read_vm_overcommit_sysctl().
I've attached a new patch.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 9011-named.patch
Type: text/x-patch
Size: 372 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160803/699ee374/attachment.bin
On 08/03/16 01:39, Russell Coker wrote:
> On Wed, 3 Aug 2016 09:43:18 AM Chris PeBenito wrote:
>>> kernel_read_kernel_sysctls(named_t)
>>>
>>> +kernel_read_vm_sysctls(named_t)
>>>
>>> kernel_read_system_state(named_t)
>>> kernel_read_network_state(named_t)
>>
>> Yes, there is a kernel_read_vm_overcommit_sysctl().
>
> I've attached a new patch.
Merged.
--
Chris PeBenito