From: dac.override@gmail.com (Dominick Grift)
Date: Wed, 27 Apr 2016 18:56:55 +0200
Subject: [refpolicy] [Patch V2 1/1] Add hwloc-dump-hwdata SELinux policy
In-Reply-To: <811e1359-2b99-91a5-a7dc-aca858fc1224@gmail.com>
References: <1461745535-6857-1-git-send-email-grzegorz.andrejczuk@intel.com>
	<1461770515-13153-1-git-send-email-grzegorz.andrejczuk@intel.com>
	<1461770515-13153-2-git-send-email-grzegorz.andrejczuk@intel.com>
	<CAPuKSJb+uvUE5Zj7DgJNAFfHaM=5VDW=G+Ff2+hQJyCL93SAOw@mail.gmail.com>
	<811e1359-2b99-91a5-a7dc-aca858fc1224@gmail.com>
Message-ID: <51151c5a-fc5c-7436-85ea-a82faa9560eb@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 04/27/2016 06:51 PM, Dominick Grift wrote:
> On 04/27/2016 06:47 PM, Jason Zaman wrote:
> 
>>> + +######################################## +## <summary> +## 
>>> Manage hwloc runtime. +## </summary> +## <param name="domain">
>>>  +##     <summary> +##     Domain allowed access. +## 
>>> </summary> +## </param> +# +interface(`hwloc_manage_runtime',`
>>> + gen_require(` +               type hwloc_var_run_t; +
>>> ') + +       files_rw_pid_dirs($1)
>> This seems wrong. Shouldn't it be a pid filetrans on 'hwloc'?
>> There is no reason to give rw perms on everything in /run.
> 
> 
> This is suitable for use with manual type transition
> 
> Example: mkdir -Z /var/run/hwloc
> 
> Mainly for sysadm
> 

Also you do realize that files_pid_filetrans() provides similar access?

All it does is it allows one to read/write generic runtime dirs.

- -- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJXIO9RAAoJECV0jlU3+UdpA+oL/0Pk9t2xVCoB3OoXlrXRk41V
EXQf0/CXhTANOMjDal2ePoouNbXo2/L57xdFYyRn4B+6prW0+Oww+ffj9KalT40d
e1bT1uTyeCrV26Y161DRmCFROpYEIiZozS9+OZxqRmRJTKQbYFSQpcUXlfiVCqQa
ui5RD6ysirHa5U+RXQMYVgSc4uxNArVw6x8kbb7aAT62cyxnDkCRwptktf8VP7k8
wXz8Z0d/WQjspCSv/2Adosm8Y/LS+16kqxk5rh2Ivi6AhbdzZ2B6Va6mC5AEiXDm
uG2zoox/OSTK1sumO1lx0f5CAmoGu/03U8cSwBxCG8wKnoSdcSAQABxXVTUSHhMB
mH2/ssk8HgXBRUMMZ1DTzFqi3Tij40V94NUwwqqfbqwm+V6n1gB2kpeDNpXd2tDK
G3AbV4sHI/yhOjhJNHCo61g60sX7DVDmLtC2pYzKzy7kd/lwbb2N5weBr79VUy9e
nDNKtLHsBZKZUbs7gmTf+wT89uca+gu28GiSghokTQ==
=a4Ap
-----END PGP SIGNATURE-----