From mboxrd@z Thu Jan  1 00:00:00 1970
From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 14 Dec 2015 10:12:37 -0500
Subject: [refpolicy] [PATCH v2] Add interfaces to read/write
 /proc/sys/vm/overcommit_memory
In-Reply-To: <1449839016-13799-1-git-send-email-bigon@debian.org>
References: <1449839016-13799-1-git-send-email-bigon@debian.org>
Message-ID: <566EDC65.5020608@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/11/2015 8:03 AM, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
> 
> ---
>  policy/modules/kernel/kernel.if | 40 ++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 40 insertions(+)
> 
> diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
> index f1130d1..e0f23ec 100644
> --- a/policy/modules/kernel/kernel.if
> +++ b/policy/modules/kernel/kernel.if
> @@ -3323,3 +3323,43 @@ interface(`kernel_unconfined',`
>  	typeattribute $1 kern_unconfined;
>  	kernel_load_module($1)
>  ')
> +
> +########################################
> +## <summary>
> +##	Read virtual memory overcommit sysctl.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`kernel_read_vm_overcommit_sysctl',`
> +	gen_require(`
> +		type sysctl_vm_overcommit_t;
> +	')
> +
> +	kernel_search_vm_sysctl($1)
> +	allow $1 sysctl_vm_overcommit_t:file read_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Read and write virtual memory overcommit sysctl.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`kernel_rw_vm_overcommit_sysctl',`
> +	gen_require(`
> +		type sysctl_vm_overcommit_t;
> +	')
> +
> +	kernel_search_vm_sysctl($1)
> +	allow $1 sysctl_vm_overcommit_t:file rw_file_perms;
> +')

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com