From: russell@coker.com.au (Russell Coker)
Date: Sun, 31 Jul 2016 19:37:00 +1000
Subject: [refpolicy]   [PATCH] named reads vm sysctls
Message-ID: <20160731093700.5xs4jcqx4kymty76@athena.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

This is for /proc/sys/vm/overcommit_memory, I noticed there is some discussion
about doing this in another way for many daemons as it's apparently a glibc
issue.  Maybe don't apply this depending on how that discussion goes.


diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/bind.te ./policy/modules/contrib/bind.te
--- /home/rjc/src/pol-git/policy/modules/contrib/bind.te	2016-07-30 08:14:41.077649338 +1000
+++ ./policy/modules/contrib/bind.te	2016-07-31 19:34:55.362849944 +1000
@@ -110,6 +110,7 @@
 read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
 
 kernel_read_kernel_sysctls(named_t)
+kernel_read_vm_sysctls(named_t)
 kernel_read_system_state(named_t)
 kernel_read_network_state(named_t)