[refpolicy] [PATCH 0/2] Give access to /proc/sys/vm/overcommit_memory to all domains

Vincent Brillault gentoo+selinux at lerya.net
Sat Aug 2 14:35:34 EDT 2014

Dear all,

Since a "recent" change in glibc (https://sourceware.org/git/?p=glibc.git;a=commit;h=9fab36eb583c0e585e83a01253299afed9ea9a11), a lot of different domains try to read /proc/sys/vm/overcommit_memory.
This generates a lot of AVC like the following:
allow * sysctl_vm_t:dir search;
allow * sysctl_vm_t:file { read open };

This access seems to be useless unless /proc/sys/vm/overcommit_memory contains '2', so the denials probably don't hurt, but I see no reason not to allow this access.
More details can be found on https://bugzilla.redhat.com/show_bug.cgi?id=872729
The first patch is directly taken from the fedora policy, I only rebased it (and added a comment)

Vincent Brillault

More information about the refpolicy mailing list