From: pebenito@ieee.org (Chris PeBenito)
Date: Mon, 11 Sep 2017 20:23:46 -0400
Subject: [refpolicy] [PATCH 3/3] miscfiles: Allow libfontconfig
 consumers to map the fonts cache
In-Reply-To: <20170911220239.1953-3-aranea@aixah.de>
References: <20170911220239.1953-1-aranea@aixah.de>
	<20170911220239.1953-3-aranea@aixah.de>
Message-ID: <bb16994d-942a-ba74-9a12-009ac6c1f29c@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/11/2017 06:02 PM, Luis Ressel via refpolicy wrote:
> ---
>   policy/modules/system/miscfiles.if | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
> index 0e0ac3bf..e4918b47 100644
> --- a/policy/modules/system/miscfiles.if
> +++ b/policy/modules/system/miscfiles.if
> @@ -151,6 +151,7 @@ interface(`miscfiles_read_fonts',`
>   
>   	allow $1 fonts_cache_t:dir list_dir_perms;
>   	read_files_pattern($1, fonts_cache_t, fonts_cache_t)
> +	allow $1 fonts_cache_t:file map;
>   	read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
>   ')

Are you sure that all users of this interface are from libfontconfig? 
After looking at your other patches, I'm starting to wonder if more 
abstract interfaces are worthwhile, similar to 
seutil_libselinux_linked().  Then we could reasonably add the map in a 
libfontconfig_linked() interface without fear of future users getting 
unnecessary perms on this generic interface.

-- 
Chris PeBenito