From: aranea@aixah.de (Luis Ressel) Date: Wed, 7 Jun 2017 13:36:49 +0200 Subject: [refpolicy] [PATCH] system/miscfiles: Also accept the path /usr/share/postgresql-$version In-Reply-To: <5ccf98c0-6d65-0594-1d5d-172d2ada3f1f@ieee.org> References: <20170605204734.24670-1-aranea@aixah.de> <5ccf98c0-6d65-0594-1d5d-172d2ada3f1f@ieee.org> Message-ID: <20170607133649.322a4b6f@vega.skynet> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 6 Jun 2017 20:09:56 -0400 Chris PeBenito wrote: > I wonder if it makes more sense to generalize this by changing > /usr/man(/.*)? to /usr/(.*/)?man(/.*)? instead. I suppose you mean "/usr/share/(.*/)?man(/.*)?"? Your regex would also match "man" directories in /usr/lib/, but it wouldn't apply to them anyway, since the "/usr/lib(/.*)?" fc supersedes it. We could of course add a second fc for that, "/usr/lib/(.*/)?man(/.*)?", but I'm not sure whether it's worth it, since there are few man directories in /usr/lib (only /usr/lib/erlang/man on my system, plus the false positive /usr/lib/swipl-7.2.3/xpce/man), and every domain is allowed to access lib_t anyway. Regards, Luis Ressel -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170607/826ed5f4/attachment.bin