From: pebenito@ieee.org (Chris PeBenito)
Date: Mon, 11 Sep 2017 19:16:10 -0400
Subject: [refpolicy] [PATCH] mandb: fixes for systemd timer and
 /usr/local/man label
In-Reply-To: <20170910152611.7435-1-cgzones@googlemail.com>
References: <20170910152611.7435-1-cgzones@googlemail.com>
Message-ID: <276d5879-e364-7209-609f-db9c344c4d44@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/10/2017 11:26 AM, Christian G?ttsche via refpolicy wrote:
> ---
>   mandb.te | 7 +++++++
>   1 file changed, 7 insertions(+)
> 
> diff --git a/mandb.te b/mandb.te
> index 5c759da..27d5fff 100644
> --- a/mandb.te
> +++ b/mandb.te
> @@ -16,6 +16,11 @@ role mandb_roles types mandb_t;
>   type mandb_unit_t;
>   init_unit_file(mandb_unit_t)
>   
> +ifdef(`init_systemd',`
> +	# run as systemd timer
> +	init_system_domain(mandb_t, mandb_exec_t)
> +')

I don't think this needs to be a build option.


>   ########################################
>   #
>   # Local policy
> @@ -40,6 +45,8 @@ domain_use_interactive_fds(mandb_t)
>   
>   files_dontaudit_search_home(mandb_t)
>   files_read_etc_files(mandb_t)
> +# /usr/local/man
> +files_read_usr_symlinks(mandb_t)
>   # search /var/run/nscd/socket
>   files_search_pids(mandb_t)
>   
> 


-- 
Chris PeBenito