* [refpolicy] [PATCH 0/2] Give access to /proc/sys/vm/overcommit_memory to all domains
@ 2014-08-02 18:35 Vincent Brillault
2014-08-02 18:35 ` [refpolicy] [PATCH 1/2] Allow all domains to read /proc/sys/vm/overcommit_memory Vincent Brillault
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: Vincent Brillault @ 2014-08-02 18:35 UTC (permalink / raw)
To: refpolicy
Dear all,
Since a "recent" change in glibc (https://sourceware.org/git/?p=glibc.git;a=commit;h=9fab36eb583c0e585e83a01253299afed9ea9a11), a lot of different domains try to read /proc/sys/vm/overcommit_memory.
This generates a lot of AVC like the following:
allow * sysctl_vm_t:dir search;
allow * sysctl_vm_t:file { read open };
This access seems to be useless unless /proc/sys/vm/overcommit_memory contains '2', so the denials probably don't hurt, but I see no reason not to allow this access.
More details can be found on https://bugzilla.redhat.com/show_bug.cgi?id=872729
The first patch is directly taken from the fedora policy, I only rebased it (and added a comment)
Cheers,
Vincent Brillault
^ permalink raw reply [flat|nested] 9+ messages in thread* [refpolicy] [PATCH 1/2] Allow all domains to read /proc/sys/vm/overcommit_memory 2014-08-02 18:35 [refpolicy] [PATCH 0/2] Give access to /proc/sys/vm/overcommit_memory to all domains Vincent Brillault @ 2014-08-02 18:35 ` Vincent Brillault 2014-08-02 18:35 ` [refpolicy] [PATCH 2/2] Extend kernel_search_*_overcommit_sysctl search Vincent Brillault 2014-08-02 18:47 ` [refpolicy] [PATCH v2 0/2] Give access to /proc/sys/vm/overcommit_memory to all domains Vincent Brillault 2 siblings, 0 replies; 9+ messages in thread From: Vincent Brillault @ 2014-08-02 18:35 UTC (permalink / raw) To: refpolicy From: Vincent Brillault <git@lerya.net> glibc malloc read this file since commit 9fab36eb (https://sourceware.org/git/?p=glibc.git;a=commit;h=9fab36eb) Patch adapted from commit 343c0887514718387f36ee8ead2b941ba9bfb894 on fedora selinux-policy made by Dan Walsh <dwalsh@redhat.com> --- policy/modules/kernel/domain.te | 4 +++ policy/modules/kernel/kernel.if | 57 +++++++++++++++++++++++++++++++++++++++++ policy/modules/kernel/kernel.te | 4 +++ 3 files changed, 65 insertions(+) diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index 4af7dbd..b95c75d 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -99,6 +99,10 @@ allow domain self:process { fork sigchld }; # glibc get_nprocs requires read access to /sys/devices/system/cpu/online dev_read_cpu_online(domain) +# glibc malloc requires access to /proc/sys/vm/overcommit_memory +# see https://sourceware.org/git/?p=glibc.git;a=commit;h=9fab36eb +kernel_read_vm_overcommit_sysctls(domain) + # Use trusted objects in /dev dev_rw_null(domain) dev_rw_zero(domain) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 18cef42..122d560 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -3209,3 +3209,60 @@ interface(`kernel_unconfined',` typeattribute $1 kern_unconfined; kernel_load_module($1) ') + +######################################## +## <summary> +## Allow caller to search virtual memory overcommit sysctls. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kernel_search_vm_overcommit_sysctl',` + gen_require(` + type proc_t, sysctl_t, sysctl_vm_overcommit_t; + ') + + search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t) +') + +######################################## +## <summary> +## Allow caller to read virtual memory overcommit sysctls. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`kernel_read_vm_overcommit_sysctls',` + gen_require(` + type proc_t, sysctl_t, sysctl_vm_overcommit_t; + ') + + read_files_pattern($1, { proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t) +') + +######################################## +## <summary> +## Read and write virtual memory overcommit sysctls. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`kernel_rw_vm_overcommit_sysctls',` + gen_require(` + type proc_t, sysctl_t, sysctl_vm_overcommit_t; + ') + + rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t) + list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t) +') diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 5d6da7f..ca50f10 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -153,6 +153,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0) type sysctl_vm_t, sysctl_type; genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0) +# /proc/sys/vm/overcommit_memory +type sysctl_vm_overcommit_t, sysctl_type; +genfscon proc /sys/vm/overcommit_memory gen_context(system_u:object_r:sysctl_vm_overcommit_t,s0) + # /proc/sys/dev directory and files type sysctl_dev_t, sysctl_type; genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) -- 1.8.5.5 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 2/2] Extend kernel_search_*_overcommit_sysctl search 2014-08-02 18:35 [refpolicy] [PATCH 0/2] Give access to /proc/sys/vm/overcommit_memory to all domains Vincent Brillault 2014-08-02 18:35 ` [refpolicy] [PATCH 1/2] Allow all domains to read /proc/sys/vm/overcommit_memory Vincent Brillault @ 2014-08-02 18:35 ` Vincent Brillault 2014-08-02 18:47 ` [refpolicy] [PATCH v2 0/2] Give access to /proc/sys/vm/overcommit_memory to all domains Vincent Brillault 2 siblings, 0 replies; 9+ messages in thread From: Vincent Brillault @ 2014-08-02 18:35 UTC (permalink / raw) To: refpolicy From: Vincent Brillault <git@lerya.net> When going to /proc/sys/vm/overcommit_memory, passing through /proc/sys/vm, i-e sysctl_vm_t, is required --- policy/modules/kernel/kernel.if | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 122d560..4ba431a 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -3222,10 +3222,10 @@ interface(`kernel_unconfined',` # interface(`kernel_search_vm_overcommit_sysctl',` gen_require(` - type proc_t, sysctl_t, sysctl_vm_overcommit_t; + type proc_t, sysctl_t, sysctl_vm_t, sysctl_vm_overcommit_t; ') - search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t) + search_dirs_pattern($1, { proc_t sysctl_t sysctl_vm_t }, sysctl_vm_overcommit_t) ') ######################################## @@ -3241,10 +3241,10 @@ interface(`kernel_search_vm_overcommit_sysctl',` # interface(`kernel_read_vm_overcommit_sysctls',` gen_require(` - type proc_t, sysctl_t, sysctl_vm_overcommit_t; + type proc_t, sysctl_t, sysctl_vm_t, sysctl_vm_overcommit_t; ') - read_files_pattern($1, { proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t) + read_files_pattern($1, { proc_t sysctl_t sysctl_vm_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t) ') ######################################## @@ -3260,9 +3260,9 @@ interface(`kernel_read_vm_overcommit_sysctls',` # interface(`kernel_rw_vm_overcommit_sysctls',` gen_require(` - type proc_t, sysctl_t, sysctl_vm_overcommit_t; + type proc_t, sysctl_t, sysctl_vm_t, sysctl_vm_overcommit_t; ') - rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t) - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t) + rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t) + list_dirs_pattern($1, { proc_t sysctl_t sysctl_vm_t }, sysctl_vm_overcommit_t) ') -- 1.8.5.5 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH v2 0/2] Give access to /proc/sys/vm/overcommit_memory to all domains 2014-08-02 18:35 [refpolicy] [PATCH 0/2] Give access to /proc/sys/vm/overcommit_memory to all domains Vincent Brillault 2014-08-02 18:35 ` [refpolicy] [PATCH 1/2] Allow all domains to read /proc/sys/vm/overcommit_memory Vincent Brillault 2014-08-02 18:35 ` [refpolicy] [PATCH 2/2] Extend kernel_search_*_overcommit_sysctl search Vincent Brillault @ 2014-08-02 18:47 ` Vincent Brillault 2014-08-02 18:47 ` [refpolicy] [PATCH v2 1/2] Allow all domains to read /proc/sys/vm/overcommit_memory Vincent Brillault 2014-08-02 18:47 ` [refpolicy] [PATCH v2 2/2] Extend kernel_search_*_overcommit_sysctl search Vincent Brillault 2 siblings, 2 replies; 9+ messages in thread From: Vincent Brillault @ 2014-08-02 18:47 UTC (permalink / raw) To: refpolicy This v2 fixes the author of the first commit (which was lost as I played too much with the "From" headers) Since a "recent" change in glibc (https://sourceware.org/git/?p=glibc.git;a=commit;h=9fab36eb583c0e585e83a01253299afed9ea9a11), a lot of different domains try to read /proc/sys/vm/overcommit_memory. This generates a lot of AVC like the following: allow * sysctl_vm_t:dir search; allow * sysctl_vm_t:file { read open }; This access seems to be useless unless /proc/sys/vm/overcommit_memory contains '2', so the denials probably don't hurt, but I see no reason not to allow this access. More details can be found on https://bugzilla.redhat.com/show_bug.cgi?id=872729 The first patch is directly taken from the fedora policy, I only rebased it (and added a comment) Cheers, Vincent Brillault ^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH v2 1/2] Allow all domains to read /proc/sys/vm/overcommit_memory 2014-08-02 18:47 ` [refpolicy] [PATCH v2 0/2] Give access to /proc/sys/vm/overcommit_memory to all domains Vincent Brillault @ 2014-08-02 18:47 ` Vincent Brillault 2014-08-14 19:29 ` Christopher J. PeBenito 2014-08-02 18:47 ` [refpolicy] [PATCH v2 2/2] Extend kernel_search_*_overcommit_sysctl search Vincent Brillault 1 sibling, 1 reply; 9+ messages in thread From: Vincent Brillault @ 2014-08-02 18:47 UTC (permalink / raw) To: refpolicy From: Dan Walsh <dwalsh@redhat.com> glibc malloc read this file since commit 9fab36eb (https://sourceware.org/git/?p=glibc.git;a=commit;h=9fab36eb) Patch adapted from commit 343c0887514718387f36ee8ead2b941ba9bfb894 on fedora selinux-policy Signed-off-by: Vincent Brillault <git@lerya.net> --- policy/modules/kernel/domain.te | 4 +++ policy/modules/kernel/kernel.if | 57 +++++++++++++++++++++++++++++++++++++++++ policy/modules/kernel/kernel.te | 4 +++ 3 files changed, 65 insertions(+) diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index 4af7dbd..b95c75d 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -99,6 +99,10 @@ allow domain self:process { fork sigchld }; # glibc get_nprocs requires read access to /sys/devices/system/cpu/online dev_read_cpu_online(domain) +# glibc malloc requires access to /proc/sys/vm/overcommit_memory +# see https://sourceware.org/git/?p=glibc.git;a=commit;h=9fab36eb +kernel_read_vm_overcommit_sysctls(domain) + # Use trusted objects in /dev dev_rw_null(domain) dev_rw_zero(domain) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index dbb3552..54e3aef 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -3191,3 +3191,60 @@ interface(`kernel_unconfined',` typeattribute $1 kern_unconfined; kernel_load_module($1) ') + +######################################## +## <summary> +## Allow caller to search virtual memory overcommit sysctls. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kernel_search_vm_overcommit_sysctl',` + gen_require(` + type proc_t, sysctl_t, sysctl_vm_overcommit_t; + ') + + search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t) +') + +######################################## +## <summary> +## Allow caller to read virtual memory overcommit sysctls. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`kernel_read_vm_overcommit_sysctls',` + gen_require(` + type proc_t, sysctl_t, sysctl_vm_overcommit_t; + ') + + read_files_pattern($1, { proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t) +') + +######################################## +## <summary> +## Read and write virtual memory overcommit sysctls. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`kernel_rw_vm_overcommit_sysctls',` + gen_require(` + type proc_t, sysctl_t, sysctl_vm_overcommit_t; + ') + + rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t) + list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t) +') diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 7fe10c3..150d2ea 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -153,6 +153,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0) type sysctl_vm_t, sysctl_type; genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0) +# /proc/sys/vm/overcommit_memory +type sysctl_vm_overcommit_t, sysctl_type; +genfscon proc /sys/vm/overcommit_memory gen_context(system_u:object_r:sysctl_vm_overcommit_t,s0) + # /proc/sys/dev directory and files type sysctl_dev_t, sysctl_type; genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) -- 1.8.5.5 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH v2 1/2] Allow all domains to read /proc/sys/vm/overcommit_memory 2014-08-02 18:47 ` [refpolicy] [PATCH v2 1/2] Allow all domains to read /proc/sys/vm/overcommit_memory Vincent Brillault @ 2014-08-14 19:29 ` Christopher J. PeBenito 2014-08-14 19:47 ` Dominick Grift 0 siblings, 1 reply; 9+ messages in thread From: Christopher J. PeBenito @ 2014-08-14 19:29 UTC (permalink / raw) To: refpolicy On 8/2/2014 2:47 PM, Vincent Brillault wrote: > From: Dan Walsh <dwalsh@redhat.com> > > glibc malloc read this file since commit 9fab36eb > (https://sourceware.org/git/?p=glibc.git;a=commit;h=9fab36eb) > > Patch adapted from commit 343c0887514718387f36ee8ead2b941ba9bfb894 > on fedora selinux-policy > > Signed-off-by: Vincent Brillault <git@lerya.net> > --- > policy/modules/kernel/domain.te | 4 +++ > policy/modules/kernel/kernel.if | 57 +++++++++++++++++++++++++++++++++++++++++ > policy/modules/kernel/kernel.te | 4 +++ > 3 files changed, 65 insertions(+) > > diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te > index 4af7dbd..b95c75d 100644 > --- a/policy/modules/kernel/domain.te > +++ b/policy/modules/kernel/domain.te > @@ -99,6 +99,10 @@ allow domain self:process { fork sigchld }; > # glibc get_nprocs requires read access to /sys/devices/system/cpu/online > dev_read_cpu_online(domain) > > +# glibc malloc requires access to /proc/sys/vm/overcommit_memory > +# see https://sourceware.org/git/?p=glibc.git;a=commit;h=9fab36eb > +kernel_read_vm_overcommit_sysctls(domain) This set of lines should go higher than dev_read_cpu_online(). > +interface(`kernel_read_vm_overcommit_sysctls',` > + gen_require(` > + type proc_t, sysctl_t, sysctl_vm_overcommit_t; > + ') > + > + read_files_pattern($1, { proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t) > +') [...] > +interface(`kernel_rw_vm_overcommit_sysctls',` > + gen_require(` > + type proc_t, sysctl_t, sysctl_vm_overcommit_t; > + ') > + > + rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t) > + list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t) > +') These two interfaces are overspecified. sysctl_vm_overcommit_t shouldn't be included in the second parameter of the patterns (read_files_pattern and rw_files_pattern) since the type is never used on a directory. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH v2 1/2] Allow all domains to read /proc/sys/vm/overcommit_memory 2014-08-14 19:29 ` Christopher J. PeBenito @ 2014-08-14 19:47 ` Dominick Grift 2014-08-14 19:59 ` Christopher J. PeBenito 0 siblings, 1 reply; 9+ messages in thread From: Dominick Grift @ 2014-08-14 19:47 UTC (permalink / raw) To: refpolicy On Thu, 2014-08-14 at 15:29 -0400, Christopher J. PeBenito wrote: > These two interfaces are overspecified. sysctl_vm_overcommit_t > shouldn't be included in the second parameter of the patterns > (read_files_pattern and rw_files_pattern) since the type is never used > on a directory. > I do not like associating these "secondary" rules with an type attribute as fundamental as domain. domain type attribute is fundamental to the policy due to the neverallow rules that are associated with it. I want to be able to create "domains" that respect the neverallow rule but i do not want to be forced to use these "secondary" rules. ^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH v2 1/2] Allow all domains to read /proc/sys/vm/overcommit_memory 2014-08-14 19:47 ` Dominick Grift @ 2014-08-14 19:59 ` Christopher J. PeBenito 0 siblings, 0 replies; 9+ messages in thread From: Christopher J. PeBenito @ 2014-08-14 19:59 UTC (permalink / raw) To: refpolicy On 8/14/2014 3:47 PM, Dominick Grift wrote: > On Thu, 2014-08-14 at 15:29 -0400, Christopher J. PeBenito wrote: > >> These two interfaces are overspecified. sysctl_vm_overcommit_t >> shouldn't be included in the second parameter of the patterns >> (read_files_pattern and rw_files_pattern) since the type is never used >> on a directory. >> > > I do not like associating these "secondary" rules with an type attribute > as fundamental as domain. I don't understand what you mean by "secondary". If all domains (at least all those linked with glibc, which is usually all) require this access, how is it secondary? > domain type attribute is fundamental to the policy due to the neverallow > rules that are associated with it. > > I want to be able to create "domains" that respect the neverallow rule > but i do not want to be forced to use these "secondary" rules. What neverallow is violated with these rules? -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH v2 2/2] Extend kernel_search_*_overcommit_sysctl search 2014-08-02 18:47 ` [refpolicy] [PATCH v2 0/2] Give access to /proc/sys/vm/overcommit_memory to all domains Vincent Brillault 2014-08-02 18:47 ` [refpolicy] [PATCH v2 1/2] Allow all domains to read /proc/sys/vm/overcommit_memory Vincent Brillault @ 2014-08-02 18:47 ` Vincent Brillault 1 sibling, 0 replies; 9+ messages in thread From: Vincent Brillault @ 2014-08-02 18:47 UTC (permalink / raw) To: refpolicy From: Vincent Brillault <git@lerya.net> When going to /proc/sys/vm/overcommit_memory, passing through /proc/sys/vm, i-e sysctl_vm_t, is required --- policy/modules/kernel/kernel.if | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 54e3aef..425db84 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -3204,10 +3204,10 @@ interface(`kernel_unconfined',` # interface(`kernel_search_vm_overcommit_sysctl',` gen_require(` - type proc_t, sysctl_t, sysctl_vm_overcommit_t; + type proc_t, sysctl_t, sysctl_vm_t, sysctl_vm_overcommit_t; ') - search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t) + search_dirs_pattern($1, { proc_t sysctl_t sysctl_vm_t }, sysctl_vm_overcommit_t) ') ######################################## @@ -3223,10 +3223,10 @@ interface(`kernel_search_vm_overcommit_sysctl',` # interface(`kernel_read_vm_overcommit_sysctls',` gen_require(` - type proc_t, sysctl_t, sysctl_vm_overcommit_t; + type proc_t, sysctl_t, sysctl_vm_t, sysctl_vm_overcommit_t; ') - read_files_pattern($1, { proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t) + read_files_pattern($1, { proc_t sysctl_t sysctl_vm_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t) ') ######################################## @@ -3242,9 +3242,9 @@ interface(`kernel_read_vm_overcommit_sysctls',` # interface(`kernel_rw_vm_overcommit_sysctls',` gen_require(` - type proc_t, sysctl_t, sysctl_vm_overcommit_t; + type proc_t, sysctl_t, sysctl_vm_t, sysctl_vm_overcommit_t; ') - rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t) - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t) + rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t) + list_dirs_pattern($1, { proc_t sysctl_t sysctl_vm_t }, sysctl_vm_overcommit_t) ') -- 1.8.5.5 ^ permalink raw reply related [flat|nested] 9+ messages in thread
end of thread, other threads:[~2014-08-14 19:59 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-08-02 18:35 [refpolicy] [PATCH 0/2] Give access to /proc/sys/vm/overcommit_memory to all domains Vincent Brillault 2014-08-02 18:35 ` [refpolicy] [PATCH 1/2] Allow all domains to read /proc/sys/vm/overcommit_memory Vincent Brillault 2014-08-02 18:35 ` [refpolicy] [PATCH 2/2] Extend kernel_search_*_overcommit_sysctl search Vincent Brillault 2014-08-02 18:47 ` [refpolicy] [PATCH v2 0/2] Give access to /proc/sys/vm/overcommit_memory to all domains Vincent Brillault 2014-08-02 18:47 ` [refpolicy] [PATCH v2 1/2] Allow all domains to read /proc/sys/vm/overcommit_memory Vincent Brillault 2014-08-14 19:29 ` Christopher J. PeBenito 2014-08-14 19:47 ` Dominick Grift 2014-08-14 19:59 ` Christopher J. PeBenito 2014-08-02 18:47 ` [refpolicy] [PATCH v2 2/2] Extend kernel_search_*_overcommit_sysctl search Vincent Brillault
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.