From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH v6]: mcelog module initial rewrite
Date: Fri, 10 Aug 2012 10:47:35 -0400 [thread overview]
Message-ID: <50251F07.8050301@tresys.com> (raw)
In-Reply-To: <50243181.3040908@trentalancia.com>
On 08/09/12 17:54, Guido Trentalancia wrote:
> On 09/08/2012 18:34, Christopher J. PeBenito wrote:
>> On 08/08/12 15:33, Guido Trentalancia wrote:
>>> --- refpolicy/policy/modules/contrib/mcelog.te 2012-08-08 21:22:01.160888610 +0200
>>> +++ refpolicy-08082012/policy/modules/contrib/mcelog.te 2012-08-08 21:22:19.204057838 +0200
>>> @@ -75,6 +75,7 @@ allow mcelog_t self:capability sys_admin
>>> allow mcelog_t self:unix_stream_socket connected_socket_perms;
>>> allow mcelog_t mcelog_etc_t:dir list_dir_perms;
>>>
>>> +files_read_etc_files(mcelog_t)
>>> read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t)
>>>
>>> # manage a logfile in a generic or private log directory
>>> @@ -92,8 +93,6 @@ dev_read_raw_memory(mcelog_t)
>>> dev_read_kmsg(mcelog_t)
>>> dev_rw_sysfs(mcelog_t)
>>>
>>> -files_read_etc_files(mcelog_t)
>>> -
>>> # for /dev/mem access
>>> mls_file_read_all_levels(mcelog_t)
>>
>> This isn't necessary. The reading etc files stands on its own where it is. If we want to be really thorough, you could add files_search_etc() by the read_files_pattern, but I think its fine as is.
>
> Yes, why not ? I have also added a comment to be 100% transparent to the
> user, if anybodys want to further restrict it under particular
> circumstances:
Reading etc_t files is not a required access for reading mcelog_etc_t files. If mcelog does not read etc_t files, then moving the line makes sense, if its also changed to files_search_etc().
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2012-08-10 14:47 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-06 15:19 [refpolicy] [PATCH v2]: mcelog module initial rewrite Guido Trentalancia
2012-08-06 15:30 ` Dominick Grift
2012-08-06 18:43 ` [refpolicy] [PATCH v3]: " Guido Trentalancia
2012-08-06 19:44 ` Dominick Grift
2012-08-07 17:34 ` [refpolicy] [PATCH v4]: " Guido Trentalancia
2012-08-07 17:43 ` Dominick Grift
2012-08-07 17:57 ` Guido Trentalancia
2012-08-07 19:35 ` Guido Trentalancia
2012-08-07 19:48 ` Dominick Grift
2012-08-07 20:20 ` Guido Trentalancia
2012-08-07 20:27 ` Dominick Grift
2012-08-07 22:04 ` [refpolicy] [PATCH v6]: " Guido Trentalancia
2012-08-08 13:02 ` Christopher J. PeBenito
2012-08-08 14:34 ` Guido Trentalancia
2012-08-08 14:41 ` Christopher J. PeBenito
2012-08-08 19:33 ` Guido Trentalancia
2012-08-09 16:34 ` Christopher J. PeBenito
2012-08-09 21:54 ` Guido Trentalancia
2012-08-10 14:47 ` Christopher J. PeBenito [this message]
2012-08-10 19:27 ` Guido Trentalancia
2012-08-14 12:23 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50251F07.8050301@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.