From: dominick.grift@gmail.com (Dominick Grift) Date: Thu, 14 Aug 2014 21:47:13 +0200 Subject: [refpolicy] [PATCH v2 1/2] Allow all domains to read /proc/sys/vm/overcommit_memory In-Reply-To: <53ED0E18.1050500@tresys.com> References: <1407004536-2301-1-git-send-email-gentoo+selinux@lerya.net> <1407005263-3144-1-git-send-email-gentoo+selinux@lerya.net> <1407005263-3144-2-git-send-email-gentoo+selinux@lerya.net> <53ED0E18.1050500@tresys.com> Message-ID: <1408045633.8445.3.camel@x220.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 2014-08-14 at 15:29 -0400, Christopher J. PeBenito wrote: > These two interfaces are overspecified. sysctl_vm_overcommit_t > shouldn't be included in the second parameter of the patterns > (read_files_pattern and rw_files_pattern) since the type is never used > on a directory. > I do not like associating these "secondary" rules with an type attribute as fundamental as domain. domain type attribute is fundamental to the policy due to the neverallow rules that are associated with it. I want to be able to create "domains" that respect the neverallow rule but i do not want to be forced to use these "secondary" rules.