From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 12 Mar 2010 11:41:05 -0500
Subject: [refpolicy] kernel_filesystem.patch
In-Reply-To: <4B845230.90902@redhat.com>
References: <4B845230.90902@redhat.com>
Message-ID: <1268412065.23411.177.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, 2010-02-23 at 17:09 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F13/kernel_filesystem.patch
> 
> Changes for handling leaks
> 
> Handling fusefs and hugetlbfs, cgroups

I'm confused by this:

+files_type(hugetlbfs_t)
+files_poly_parent(hugetlbfs_t)

If its a filesystem, its not a regular file.

> gpfs file system
> devtmpfs file system

I'm thinking that perhaps devtmpfs should be moved to devices and use
device_t, since thats its only purpose.

Fixed fs_dontaudit_read_nfs_symlinks() (it was allowing instead of
dontauditing).

Otherwise merged, with some rearrangement.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150