From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 14 Aug 2014 15:59:07 -0400
Subject: [refpolicy] [PATCH v2 1/2] Allow all domains to read
	/proc/sys/vm/overcommit_memory
In-Reply-To: <1408045633.8445.3.camel@x220.localdomain>
References: <1407004536-2301-1-git-send-email-gentoo+selinux@lerya.net>		<1407005263-3144-1-git-send-email-gentoo+selinux@lerya.net>	
	<1407005263-3144-2-git-send-email-gentoo+selinux@lerya.net>	
	<53ED0E18.1050500@tresys.com>
	<1408045633.8445.3.camel@x220.localdomain>
Message-ID: <53ED150B.6080601@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 8/14/2014 3:47 PM, Dominick Grift wrote:
> On Thu, 2014-08-14 at 15:29 -0400, Christopher J. PeBenito wrote:
> 
>> These two interfaces are overspecified.  sysctl_vm_overcommit_t
>> shouldn't be included in the second parameter of the patterns
>> (read_files_pattern and rw_files_pattern) since the type is never used
>> on a directory.
>>
> 
> I do not like associating these "secondary" rules with an type attribute
> as fundamental as domain.

I don't understand what you mean by "secondary".  If all domains (at
least all those linked with glibc, which is usually all) require this
access, how is it secondary?

> domain type attribute is fundamental to the policy due to the neverallow
> rules that are associated with it.
> 
> I want to be able to create "domains" that respect the neverallow rule
> but i do not want to be forced to use these "secondary" rules.

What neverallow is violated with these rules?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com