From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 14 Aug 2014 15:29:28 -0400 Subject: [refpolicy] [PATCH v2 1/2] Allow all domains to read /proc/sys/vm/overcommit_memory In-Reply-To: <1407005263-3144-2-git-send-email-gentoo+selinux@lerya.net> References: <1407004536-2301-1-git-send-email-gentoo+selinux@lerya.net> <1407005263-3144-1-git-send-email-gentoo+selinux@lerya.net> <1407005263-3144-2-git-send-email-gentoo+selinux@lerya.net> Message-ID: <53ED0E18.1050500@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 8/2/2014 2:47 PM, Vincent Brillault wrote: > From: Dan Walsh > > glibc malloc read this file since commit 9fab36eb > (https://sourceware.org/git/?p=glibc.git;a=commit;h=9fab36eb) > > Patch adapted from commit 343c0887514718387f36ee8ead2b941ba9bfb894 > on fedora selinux-policy > > Signed-off-by: Vincent Brillault > --- > policy/modules/kernel/domain.te | 4 +++ > policy/modules/kernel/kernel.if | 57 +++++++++++++++++++++++++++++++++++++++++ > policy/modules/kernel/kernel.te | 4 +++ > 3 files changed, 65 insertions(+) > > diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te > index 4af7dbd..b95c75d 100644 > --- a/policy/modules/kernel/domain.te > +++ b/policy/modules/kernel/domain.te > @@ -99,6 +99,10 @@ allow domain self:process { fork sigchld }; > # glibc get_nprocs requires read access to /sys/devices/system/cpu/online > dev_read_cpu_online(domain) > > +# glibc malloc requires access to /proc/sys/vm/overcommit_memory > +# see https://sourceware.org/git/?p=glibc.git;a=commit;h=9fab36eb > +kernel_read_vm_overcommit_sysctls(domain) This set of lines should go higher than dev_read_cpu_online(). > +interface(`kernel_read_vm_overcommit_sysctls',` > + gen_require(` > + type proc_t, sysctl_t, sysctl_vm_overcommit_t; > + ') > + > + read_files_pattern($1, { proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t) > +') [...] > +interface(`kernel_rw_vm_overcommit_sysctls',` > + gen_require(` > + type proc_t, sysctl_t, sysctl_vm_overcommit_t; > + ') > + > + rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t) > + list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t) > +') These two interfaces are overspecified. sysctl_vm_overcommit_t shouldn't be included in the second parameter of the patterns (read_files_pattern and rw_files_pattern) since the type is never used on a directory. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com