From: guido@trentalancia.net (Guido Trentalancia) Date: Fri, 30 Dec 2016 18:04:53 +0100 Subject: [refpolicy] [PATCH v3] xserver: restrict executable memory permissions In-Reply-To: References: <1482945627.7302.8.camel@trentalancia.net> <1482954976.2738.9.camel@trentalancia.net> <1483058219.31174.0.camel@trentalancia.net> <5E73ADF9-BB01-429C-A1EC-9C33CDEC589C@trentalancia.net> Message-ID: <1483117493.7186.3.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 30/12/2016 at 17.07 +0100, cgzones wrote: > Hi, > > 2016-12-30 2:42 GMT+01:00 Guido Trentalancia via refpolicy > : > > > > Hello again. > > > > I have double-checked and the difference between /usr/share and > > /var/lib is between architetture-independent and single-machine > > data, not between read-only and writable. I correct myself. The former also implies read-only files. > Quoting FHS 3.0: > > /usr/share > "The /usr/share hierarchy is for all read-only architecture > independent data files." > (http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch04s11.html) > > /var/lib > "This hierarchy holds state information pertaining to an application > or the system. State information is data that programs modify while > they run, and that pertains to one specific host." > (http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s08.html) > > > > > I hope it helps. > > > > Regards, > > > > Guido > > > > Btw, I am not against this patch, just wanted to make sure this > specific change was intentional and note that it's a bit unhandsome. I confirm, it is a sort of bug in xserver (the actual package, not the policy module). Regards, Guido