From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 18 Jun 2010 14:08:19 -0400
Subject: [refpolicy] admin_prelink.patch
In-Reply-To: <4C06B624.8040502@redhat.com>
References: <4C06B624.8040502@redhat.com>
Message-ID: <1276884499.2929.321.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 2010-06-02 at 15:51 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F14/admin_prelink.patch
> 
> Prelink has new directory under /var/lib

The files_search_var_lib() should be redundant due to the
files_var_lib_filetrans().

> dontaudit leaks from domains that transition
> 
> 
> 
> prelink needs to manage executables in the users homedir.

NAK  Prelink is highly trusted to manage system libraries.  This is too
easy of a way for users to compromise prelink, which could lead to
compromised system libraries.

> cron job looks at all mount points.

Otherwise merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com