[refpolicy] [PATCH v2 1/2] Allow all domains to read /proc/sys/vm/overcommit_memory

Dominick Grift dominick.grift at gmail.com
Thu Aug 14 15:47:13 EDT 2014

On Thu, 2014-08-14 at 15:29 -0400, Christopher J. PeBenito wrote:

> These two interfaces are overspecified.  sysctl_vm_overcommit_t
> shouldn't be included in the second parameter of the patterns
> (read_files_pattern and rw_files_pattern) since the type is never used
> on a directory.

I do not like associating these "secondary" rules with an type attribute
as fundamental as domain.

domain type attribute is fundamental to the policy due to the neverallow
rules that are associated with it.

I want to be able to create "domains" that respect the neverallow rule
but i do not want to be forced to use these "secondary" rules.

More information about the refpolicy mailing list