From: dominick.grift@gmail.com (Dominick Grift)
Date: Thu, 14 Aug 2014 21:47:13 +0200
Subject: [refpolicy] [PATCH v2 1/2] Allow all domains to read
 /proc/sys/vm/overcommit_memory
In-Reply-To: <53ED0E18.1050500@tresys.com>
References: <1407004536-2301-1-git-send-email-gentoo+selinux@lerya.net>
	<1407005263-3144-1-git-send-email-gentoo+selinux@lerya.net>
	<1407005263-3144-2-git-send-email-gentoo+selinux@lerya.net>
	<53ED0E18.1050500@tresys.com>
Message-ID: <1408045633.8445.3.camel@x220.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, 2014-08-14 at 15:29 -0400, Christopher J. PeBenito wrote:

> These two interfaces are overspecified.  sysctl_vm_overcommit_t
> shouldn't be included in the second parameter of the patterns
> (read_files_pattern and rw_files_pattern) since the type is never used
> on a directory.
> 

I do not like associating these "secondary" rules with an type attribute
as fundamental as domain.

domain type attribute is fundamental to the policy due to the neverallow
rules that are associated with it.

I want to be able to create "domains" that respect the neverallow rule
but i do not want to be forced to use these "secondary" rules.