From: russell@coker.com.au (Russell Coker) Date: Sat, 04 Nov 2017 20:17:53 +1100 Subject: [refpolicy] map permissions Message-ID: <3850548.JCvBVk9sDr@xev> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com http://oss.tresys.com/pipermail/refpolicy/2017-May/009534.html What happened to the patch from the above message? The glibc implementations of getpwent(3) and friends map files so I have the following on a test machine. If we aren't going to add the patch from the above message to allow map for most read permissions then I think we should do it for etc_t at least if we aren't going to allow it for all reads. If so we could have a _nomap variant of interfaces for reading etc_t for the rare programs that can operate without getpwent(3) etc. What do you think? As an aside, am I the only person here testing with recent kernels? # everything maps etc_t for /etc/passwd and /etc/group allow chkpwd_t etc_t:file map; allow chkpwd_t shadow_t:file map; allow consolekit_t etc_t:file map; allow local_login_t etc_t:file map; allow system_sudo_t etc_t:file map; allow systemd_logind_t etc_t:file map; allow systemd_tmpfiles_t etc_t:file map; allow getty_t etc_t:file map; allow crond_t etc_t:file map; allow audisp_t etc_t:file map; allow mon_t etc_t:file map; allow postfix_bounce_t etc_t:file map; allow postfix_cleanup_t etc_t:file map; allow postfix_local_t etc_t:file map; allow postfix_master_t etc_t:file map; allow postfix_pickup_t etc_t:file map; allow postfix_postdrop_t etc_t:file map; allow postfix_qmgr_t etc_t:file map; allow semanage_t etc_t:file map; allow sshd_t etc_t:file map; allow syslogd_t etc_t:file map; allow system_dbusd_t etc_t:file map; allow system_mail_t etc_t:file map; allow auditd_t etc_t:file map; -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/