---
mandb.te | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/mandb.te b/mandb.te
index 5c759da..de1ac65 100644
--- a/mandb.te
+++ b/mandb.te
@@ -10,7 +10,7 @@ roleattribute system_r mandb_roles;
type mandb_t;
type mandb_exec_t;
-application_domain(mandb_t, mandb_exec_t)
+init_system_domain(mandb_t, mandb_exec_t)
role mandb_roles types mandb_t;
type mandb_unit_t;
@@ -40,6 +40,8 @@ domain_use_interactive_fds(mandb_t)
files_dontaudit_search_home(mandb_t)
files_read_etc_files(mandb_t)
+# /usr/local/man
+files_read_usr_symlinks(mandb_t)
# search /var/run/nscd/socket
files_search_pids(mandb_t)
--
2.14.1
On 09/12/2017 05:24 AM, Christian G?ttsche via refpolicy wrote:
> ---
> mandb.te | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/mandb.te b/mandb.te
> index 5c759da..de1ac65 100644
> --- a/mandb.te
> +++ b/mandb.te
> @@ -10,7 +10,7 @@ roleattribute system_r mandb_roles;
>
> type mandb_t;
> type mandb_exec_t;
> -application_domain(mandb_t, mandb_exec_t)
> +init_system_domain(mandb_t, mandb_exec_t)
The way the policy is written, it seems like mandb is both an
application domain and a system domain.
> role mandb_roles types mandb_t;
>
> type mandb_unit_t;
> @@ -40,6 +40,8 @@ domain_use_interactive_fds(mandb_t)
>
> files_dontaudit_search_home(mandb_t)
> files_read_etc_files(mandb_t)
> +# /usr/local/man
> +files_read_usr_symlinks(mandb_t)
> # search /var/run/nscd/socket
> files_search_pids(mandb_t)
>
>
--
Chris PeBenito
2017-09-13 1:59 GMT+02:00 Chris PeBenito <[email protected]>:
> On 09/12/2017 05:24 AM, Christian G?ttsche via refpolicy wrote:
>>
>> ---
>> mandb.te | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/mandb.te b/mandb.te
>> index 5c759da..de1ac65 100644
>> --- a/mandb.te
>> +++ b/mandb.te
>> @@ -10,7 +10,7 @@ roleattribute system_r mandb_roles;
>> type mandb_t;
>> type mandb_exec_t;
>> -application_domain(mandb_t, mandb_exec_t)
>> +init_system_domain(mandb_t, mandb_exec_t)
>
>
> The way the policy is written, it seems like mandb is both an application
> domain and a system domain.
>
Should be both calls present, although `init_system_domain` calls
`application_domain`?
>
>> role mandb_roles types mandb_t;
>> type mandb_unit_t;
>> @@ -40,6 +40,8 @@ domain_use_interactive_fds(mandb_t)
>> files_dontaudit_search_home(mandb_t)
>> files_read_etc_files(mandb_t)
>> +# /usr/local/man
>> +files_read_usr_symlinks(mandb_t)
>> # search /var/run/nscd/socket
>> files_search_pids(mandb_t)
>>
>
>
>
> --
> Chris PeBenito
On 09/13/2017 04:08 AM, Christian G?ttsche wrote:
> 2017-09-13 1:59 GMT+02:00 Chris PeBenito <[email protected]>:
>> On 09/12/2017 05:24 AM, Christian G?ttsche via refpolicy wrote:
>>>
>>> ---
>>> mandb.te | 4 +++-
>>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/mandb.te b/mandb.te
>>> index 5c759da..de1ac65 100644
>>> --- a/mandb.te
>>> +++ b/mandb.te
>>> @@ -10,7 +10,7 @@ roleattribute system_r mandb_roles;
>>> type mandb_t;
>>> type mandb_exec_t;
>>> -application_domain(mandb_t, mandb_exec_t)
>>> +init_system_domain(mandb_t, mandb_exec_t)
>>
>>
>> The way the policy is written, it seems like mandb is both an application
>> domain and a system domain.
>>
>
> Should be both calls present, although `init_system_domain` calls
> `application_domain`?
Sorry, I looked if that was the case and still somehow missed it.
--
Chris PeBenito
On 09/12/2017 05:24 AM, Christian G?ttsche via refpolicy wrote:
> ---
> mandb.te | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/mandb.te b/mandb.te
> index 5c759da..de1ac65 100644
> --- a/mandb.te
> +++ b/mandb.te
> @@ -10,7 +10,7 @@ roleattribute system_r mandb_roles;
>
> type mandb_t;
> type mandb_exec_t;
> -application_domain(mandb_t, mandb_exec_t)
> +init_system_domain(mandb_t, mandb_exec_t)
> role mandb_roles types mandb_t;
>
> type mandb_unit_t;
> @@ -40,6 +40,8 @@ domain_use_interactive_fds(mandb_t)
>
> files_dontaudit_search_home(mandb_t)
> files_read_etc_files(mandb_t)
> +# /usr/local/man
> +files_read_usr_symlinks(mandb_t)
> # search /var/run/nscd/socket
> files_search_pids(mandb_t)
Merged.
--
Chris PeBenito