From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 14 Aug 2014 15:59:07 -0400 Subject: [refpolicy] [PATCH v2 1/2] Allow all domains to read /proc/sys/vm/overcommit_memory In-Reply-To: <1408045633.8445.3.camel@x220.localdomain> References: <1407004536-2301-1-git-send-email-gentoo+selinux@lerya.net> <1407005263-3144-1-git-send-email-gentoo+selinux@lerya.net> <1407005263-3144-2-git-send-email-gentoo+selinux@lerya.net> <53ED0E18.1050500@tresys.com> <1408045633.8445.3.camel@x220.localdomain> Message-ID: <53ED150B.6080601@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 8/14/2014 3:47 PM, Dominick Grift wrote: > On Thu, 2014-08-14 at 15:29 -0400, Christopher J. PeBenito wrote: > >> These two interfaces are overspecified. sysctl_vm_overcommit_t >> shouldn't be included in the second parameter of the patterns >> (read_files_pattern and rw_files_pattern) since the type is never used >> on a directory. >> > > I do not like associating these "secondary" rules with an type attribute > as fundamental as domain. I don't understand what you mean by "secondary". If all domains (at least all those linked with glibc, which is usually all) require this access, how is it secondary? > domain type attribute is fundamental to the policy due to the neverallow > rules that are associated with it. > > I want to be able to create "domains" that respect the neverallow rule > but i do not want to be forced to use these "secondary" rules. What neverallow is violated with these rules? -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com