From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 02 Dec 2008 17:51:28 -0500
Subject: [refpolicy] kernel_files.patch
In-Reply-To: <492C7592.6080400@redhat.com>
References: <492C7592.6080400@redhat.com>
Message-ID: <1228258290.9691.381.camel@gorn>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, 2008-11-25 at 17:00 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_files.patch
> 
> Fix label of system_map under /boot/efi
> 
> Add etc_runtime to hosts.deny

I need justification for this.

> Allow relabel from and to all blk and chr file context.  This prevents
> restorecon from breaking if users have blk files in homedir.

Why would there be device nodes in a user home directory?  We can't
allow device nodes to be relabeled to something that is not a device
node type.

> Add interfaces to rw_all_files
> 
> Allow relabel all filesytems to all other files systems (Mount context=)

When/why did the existing rule for this become insufficient?

> Add the ability to delete unlabled file (file_t) tmpreaper needs to be
> able to delete files left on /tmp that never got labeled on initial label.

I don't have a problem with this, but I think the
files_delete_isid_type_files() interface needs to be split up.  Or put
the rules into the purge tmp interface.

> A few other interfaces

Need explanation for the polyinstantiation change.

files_delete_usr_files() needs to be broken up.

> Additional mount file ssytem.  Any file type can be moved to /tmp.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150