From: dwalsh@redhat.com (Daniel J Walsh)
Date: Fri, 12 Mar 2010 15:24:17 -0500
Subject: [refpolicy] kernel_filesystem.patch
In-Reply-To: <1268412065.23411.177.camel@gorn.columbia.tresys.com>
References: <4B845230.90902@redhat.com>
	<1268412065.23411.177.camel@gorn.columbia.tresys.com>
Message-ID: <4B9AA2F1.8030704@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 03/12/2010 11:41 AM, Christopher J. PeBenito wrote:
> On Tue, 2010-02-23 at 17:09 -0500, Daniel J Walsh wrote:
>    
>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/kernel_filesystem.patch
>>
>> Changes for handling leaks
>>
>> Handling fusefs and hugetlbfs, cgroups
>>      
> I'm confused by this:
>
> +files_type(hugetlbfs_t)
> +files_poly_parent(hugetlbfs_t)
>
> If its a filesystem, its not a regular file.
>
>    
Looks like a cut and paste error.
>> gpfs file system
>> devtmpfs file system
>>      
> I'm thinking that perhaps devtmpfs should be moved to devices and use
> device_t, since thats its only purpose.
>
>    
Sounds good to me.

Will this work?

fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);


> Fixed fs_dontaudit_read_nfs_symlinks() (it was allowing instead of
> dontauditing).
>
> Otherwise merged, with some rearrangement.
>
>    
Thanks.