From: cgzones@googlemail.com (=?UTF-8?Q?Christian_G=C3=B6ttsche?=)
Date: Wed, 13 Sep 2017 10:08:19 +0200
Subject: [refpolicy] [PATCH] mandb: fixes for systemd timer and
 /usr/local/man label
In-Reply-To: <6a4807dc-08c8-9f6f-5638-869332e5615a@ieee.org>
References: <20170912092403.3951-1-cgzones@googlemail.com>
	<6a4807dc-08c8-9f6f-5638-869332e5615a@ieee.org>
Message-ID: <CAJ2a_DcV=21Nvx=QXT-RC+cHDVrFOTedK9aXxpkptp9oQyNPyw@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

2017-09-13 1:59 GMT+02:00 Chris PeBenito <pebenito@ieee.org>:
> On 09/12/2017 05:24 AM, Christian G?ttsche via refpolicy wrote:
>>
>> ---
>>   mandb.te | 4 +++-
>>   1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/mandb.te b/mandb.te
>> index 5c759da..de1ac65 100644
>> --- a/mandb.te
>> +++ b/mandb.te
>> @@ -10,7 +10,7 @@ roleattribute system_r mandb_roles;
>>     type mandb_t;
>>   type mandb_exec_t;
>> -application_domain(mandb_t, mandb_exec_t)
>> +init_system_domain(mandb_t, mandb_exec_t)
>
>
> The way the policy is written, it seems like mandb is both an application
> domain and a system domain.
>

Should be both calls present, although `init_system_domain` calls
`application_domain`?

>
>>   role mandb_roles types mandb_t;
>>     type mandb_unit_t;
>> @@ -40,6 +40,8 @@ domain_use_interactive_fds(mandb_t)
>>     files_dontaudit_search_home(mandb_t)
>>   files_read_etc_files(mandb_t)
>> +# /usr/local/man
>> +files_read_usr_symlinks(mandb_t)
>>   # search /var/run/nscd/socket
>>   files_search_pids(mandb_t)
>>
>
>
>
> --
> Chris PeBenito