From: gentoo+selinux@lerya.net (Vincent Brillault)
Date: Sat,  2 Aug 2014 20:47:41 +0200
Subject: [refpolicy] [PATCH v2 0/2] Give access to
	/proc/sys/vm/overcommit_memory to all domains
In-Reply-To: <1407004536-2301-1-git-send-email-gentoo+selinux@lerya.net>
References: <1407004536-2301-1-git-send-email-gentoo+selinux@lerya.net>
Message-ID: <1407005263-3144-1-git-send-email-gentoo+selinux@lerya.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

This v2 fixes the author of the first commit (which was lost as I played too much with the "From" headers)

Since a "recent" change in glibc (https://sourceware.org/git/?p=glibc.git;a=commit;h=9fab36eb583c0e585e83a01253299afed9ea9a11), a lot of different domains try to read /proc/sys/vm/overcommit_memory.
This generates a lot of AVC like the following:
allow * sysctl_vm_t:dir search;
allow * sysctl_vm_t:file { read open };

This access seems to be useless unless /proc/sys/vm/overcommit_memory contains '2', so the denials probably don't hurt, but I see no reason not to allow this access.
More details can be found on https://bugzilla.redhat.com/show_bug.cgi?id=872729
The first patch is directly taken from the fedora policy, I only rebased it (and added a comment)

Cheers,
Vincent Brillault