From: aranea@aixah.de (Luis Ressel)
Date: Wed, 7 Jun 2017 13:36:49 +0200
Subject: [refpolicy] [PATCH] system/miscfiles: Also accept the path
 /usr/share/postgresql-$version
In-Reply-To: <5ccf98c0-6d65-0594-1d5d-172d2ada3f1f@ieee.org>
References: <20170605204734.24670-1-aranea@aixah.de>
	<5ccf98c0-6d65-0594-1d5d-172d2ada3f1f@ieee.org>
Message-ID: <20170607133649.322a4b6f@vega.skynet>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, 6 Jun 2017 20:09:56 -0400
Chris PeBenito <pebenito@ieee.org> wrote:

> I wonder if it makes more sense to generalize this by changing 
> /usr/man(/.*)? to /usr/(.*/)?man(/.*)? instead.

I suppose you mean "/usr/share/(.*/)?man(/.*)?"? Your regex would also
match "man" directories in /usr/lib/, but it wouldn't apply to them
anyway, since the "/usr/lib(/.*)?" fc supersedes it.

We could of course add a second fc for that,
"/usr/lib/(.*/)?man(/.*)?", but I'm not sure whether it's worth it,
since there are few man directories in /usr/lib
(only /usr/lib/erlang/man on my system, plus the false
positive /usr/lib/swipl-7.2.3/xpce/man), and every domain is allowed to
access lib_t anyway.

Regards,
Luis Ressel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170607/826ed5f4/attachment.bin