From: guido@trentalancia.net (Guido Trentalancia)
Date: Fri, 30 Dec 2016 18:04:53 +0100
Subject: [refpolicy] [PATCH v3] xserver: restrict executable memory
 permissions
In-Reply-To: <CAJ2a_DeObY2AYCE_iZe_UpyvvFsRoQ4B9T_e-qFp_+wfqXNF_w@mail.gmail.com>
References: <1482945627.7302.8.camel@trentalancia.net>
	<1482954976.2738.9.camel@trentalancia.net>
	<1483058219.31174.0.camel@trentalancia.net>
	<CAJ2a_DdzqHvRtwjbmDyS+LCbLxtoCViR2ZFwCTv+HPiqYKYeSA@mail.gmail.com>
	<5E73ADF9-BB01-429C-A1EC-9C33CDEC589C@trentalancia.net>
	<CAJ2a_DeObY2AYCE_iZe_UpyvvFsRoQ4B9T_e-qFp_+wfqXNF_w@mail.gmail.com>
Message-ID: <1483117493.7186.3.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, 30/12/2016 at 17.07 +0100, cgzones wrote:
> Hi,
> 
> 2016-12-30 2:42 GMT+01:00 Guido Trentalancia via refpolicy
> <refpolicy@oss.tresys.com>:
> > 
> > Hello again.
> > 
> > I have double-checked and the difference between /usr/share and
> > /var/lib is between architetture-independent and single-machine
> > data, not between read-only and writable.

I correct myself. The former also implies read-only files.

> Quoting FHS 3.0:
> 
> /usr/share
> "The /usr/share hierarchy is for all read-only architecture
> independent data files."
> (http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch04s11.html)
> 
> /var/lib
> "This hierarchy holds state information pertaining to an application
> or the system. State information is data that programs modify while
> they run, and that pertains to one specific host."
> (http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s08.html)
> 
> > 
> > I hope it helps.
> > 
> > Regards,
> > 
> > Guido
> > 
> 
> Btw, I am not against this patch, just wanted to make sure this
> specific change was intentional and note that it's a bit unhandsome.

I confirm, it is a sort of bug in xserver (the actual package, not the
policy module).

Regards,

Guido