From: pebenito@ieee.org (Chris PeBenito)
Date: Tue, 2 Aug 2016 19:43:18 -0400
Subject: [refpolicy] [PATCH] named reads vm sysctls
In-Reply-To: <20160731093700.5xs4jcqx4kymty76@athena.coker.com.au>
References: <20160731093700.5xs4jcqx4kymty76@athena.coker.com.au>
Message-ID: <fd2d5e3d-13cb-036b-25dc-f9d7320b1a79@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 07/31/16 05:37, Russell Coker wrote:
> This is for /proc/sys/vm/overcommit_memory, I noticed there is some discussion
> about doing this in another way for many daemons as it's apparently a glibc
> issue.  Maybe don't apply this depending on how that discussion goes.
>
>
> diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/bind.te ./policy/modules/contrib/bind.te
> --- /home/rjc/src/pol-git/policy/modules/contrib/bind.te	2016-07-30 08:14:41.077649338 +1000
> +++ ./policy/modules/contrib/bind.te	2016-07-31 19:34:55.362849944 +1000
> @@ -110,6 +110,7 @@
>  read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
>
>  kernel_read_kernel_sysctls(named_t)
> +kernel_read_vm_sysctls(named_t)
>  kernel_read_system_state(named_t)
>  kernel_read_network_state(named_t)

Yes, there is a kernel_read_vm_overcommit_sysctl().

-- 
Chris PeBenito