From: gentoo+selinux@lerya.net (Vincent Brillault)
Date: Sat,  2 Aug 2014 20:35:36 +0200
Subject: [refpolicy] [PATCH 2/2] Extend kernel_search_*_overcommit_sysctl
	search
In-Reply-To: <1407004536-2301-1-git-send-email-gentoo+selinux@lerya.net>
References: <1407004536-2301-1-git-send-email-gentoo+selinux@lerya.net>
Message-ID: <1407004536-2301-3-git-send-email-gentoo+selinux@lerya.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

From: Vincent Brillault <git@lerya.net>

When going to /proc/sys/vm/overcommit_memory,
passing through /proc/sys/vm, i-e sysctl_vm_t, is required
---
 policy/modules/kernel/kernel.if | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 122d560..4ba431a 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -3222,10 +3222,10 @@ interface(`kernel_unconfined',`
 #
 interface(`kernel_search_vm_overcommit_sysctl',`
 	gen_require(`
-		type proc_t, sysctl_t, sysctl_vm_overcommit_t;
+		type proc_t, sysctl_t, sysctl_vm_t, sysctl_vm_overcommit_t;
 	')
 
-	search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t)
+	search_dirs_pattern($1, { proc_t sysctl_t sysctl_vm_t }, sysctl_vm_overcommit_t)
 ')
 
 ########################################
@@ -3241,10 +3241,10 @@ interface(`kernel_search_vm_overcommit_sysctl',`
 #
 interface(`kernel_read_vm_overcommit_sysctls',`
 	gen_require(`
-		type proc_t, sysctl_t, sysctl_vm_overcommit_t;
+		type proc_t, sysctl_t, sysctl_vm_t, sysctl_vm_overcommit_t;
 	')
 
-	read_files_pattern($1, { proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t)
+	read_files_pattern($1, { proc_t sysctl_t sysctl_vm_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t)
 ')
 
 ########################################
@@ -3260,9 +3260,9 @@ interface(`kernel_read_vm_overcommit_sysctls',`
 #
 interface(`kernel_rw_vm_overcommit_sysctls',`
 	gen_require(`
-		type proc_t, sysctl_t, sysctl_vm_overcommit_t;
+		type proc_t, sysctl_t, sysctl_vm_t, sysctl_vm_overcommit_t;
 	')
 
-	rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t)
-	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t)
+	rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t)
+	list_dirs_pattern($1, { proc_t sysctl_t sysctl_vm_t }, sysctl_vm_overcommit_t)
 ')
-- 
1.8.5.5