From mboxrd@z Thu Jan 1 00:00:00 1970 From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 5 Sep 2012 13:27:36 -0400 Subject: [refpolicy] [PATCH] Use ps_process_pattern() in domain_read_state interfaces. Seem though that not everyone read domain state needs to be able to get attributes of target process types. In-Reply-To: <1346263182-11122-1-git-send-email-dominick.grift@gmail.com> References: <1346263182-11122-1-git-send-email-dominick.grift@gmail.com> Message-ID: <50478B88.7060103@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/29/12 13:59, Dominick Grift wrote: > > Signed-off-by: Dominick Grift > diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if > index 6a1e4d1..9f82171 100644 > --- a/policy/modules/kernel/domain.if > +++ b/policy/modules/kernel/domain.if > @@ -623,10 +623,7 @@ > attribute domain; > ') > > - kernel_search_proc($1) > - allow $1 domain:dir list_dir_perms; > - read_files_pattern($1, domain, domain) > - read_lnk_files_pattern($1, domain, domain) > + ps_process_pattern($1, domain) > ') > > ######################################## > @@ -683,10 +680,7 @@ > attribute domain, unconfined_domain_type; > ') > > - kernel_search_proc($1) > - allow $1 { domain -unconfined_domain_type }:dir list_dir_perms; > - read_files_pattern($1, { domain -unconfined_domain_type }, { domain -unconfined_domain_type }) > - read_lnk_files_pattern($1, { domain -unconfined_domain_type }, { domain -unconfined_domain_type }) > + ps_process_pattern($1, { domain -unconfined_domain_type }) > > dontaudit $1 unconfined_domain_type:dir search_dir_perms; > dontaudit $1 unconfined_domain_type:file read_file_perms; I'd have to say no to this patch. As you say, not all domains that read other domains' state needs to getattr the process. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com