[refpolicy] [PATCH v2 2/2] Extend kernel_search_*_overcommit_sysctl search

Vincent Brillault gentoo+selinux at lerya.net
Sat Aug 2 14:47:43 EDT 2014


From: Vincent Brillault <git at lerya.net>

When going to /proc/sys/vm/overcommit_memory,
passing through /proc/sys/vm, i-e sysctl_vm_t, is required
---
 policy/modules/kernel/kernel.if | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 54e3aef..425db84 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -3204,10 +3204,10 @@ interface(`kernel_unconfined',`
 #
 interface(`kernel_search_vm_overcommit_sysctl',`
 	gen_require(`
-		type proc_t, sysctl_t, sysctl_vm_overcommit_t;
+		type proc_t, sysctl_t, sysctl_vm_t, sysctl_vm_overcommit_t;
 	')
 
-	search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t)
+	search_dirs_pattern($1, { proc_t sysctl_t sysctl_vm_t }, sysctl_vm_overcommit_t)
 ')
 
 ########################################
@@ -3223,10 +3223,10 @@ interface(`kernel_search_vm_overcommit_sysctl',`
 #
 interface(`kernel_read_vm_overcommit_sysctls',`
 	gen_require(`
-		type proc_t, sysctl_t, sysctl_vm_overcommit_t;
+		type proc_t, sysctl_t, sysctl_vm_t, sysctl_vm_overcommit_t;
 	')
 
-	read_files_pattern($1, { proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t)
+	read_files_pattern($1, { proc_t sysctl_t sysctl_vm_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t)
 ')
 
 ########################################
@@ -3242,9 +3242,9 @@ interface(`kernel_read_vm_overcommit_sysctls',`
 #
 interface(`kernel_rw_vm_overcommit_sysctls',`
 	gen_require(`
-		type proc_t, sysctl_t, sysctl_vm_overcommit_t;
+		type proc_t, sysctl_t, sysctl_vm_t, sysctl_vm_overcommit_t;
 	')
 
-	rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t)
-	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t)
+	rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t)
+	list_dirs_pattern($1, { proc_t sysctl_t sysctl_vm_t }, sysctl_vm_overcommit_t)
 ')
-- 
1.8.5.5



More information about the refpolicy mailing list