From: dwalsh@redhat.com (Daniel J Walsh) Date: Fri, 12 Mar 2010 15:24:17 -0500 Subject: [refpolicy] kernel_filesystem.patch In-Reply-To: <1268412065.23411.177.camel@gorn.columbia.tresys.com> References: <4B845230.90902@redhat.com> <1268412065.23411.177.camel@gorn.columbia.tresys.com> Message-ID: <4B9AA2F1.8030704@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 03/12/2010 11:41 AM, Christopher J. PeBenito wrote: > On Tue, 2010-02-23 at 17:09 -0500, Daniel J Walsh wrote: > >> http://people.fedoraproject.org/~dwalsh/SELinux/F13/kernel_filesystem.patch >> >> Changes for handling leaks >> >> Handling fusefs and hugetlbfs, cgroups >> > I'm confused by this: > > +files_type(hugetlbfs_t) > +files_poly_parent(hugetlbfs_t) > > If its a filesystem, its not a regular file. > > Looks like a cut and paste error. >> gpfs file system >> devtmpfs file system >> > I'm thinking that perhaps devtmpfs should be moved to devices and use > device_t, since thats its only purpose. > > Sounds good to me. Will this work? fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0); > Fixed fs_dontaudit_read_nfs_symlinks() (it was allowing instead of > dontauditing). > > Otherwise merged, with some rearrangement. > > Thanks.