From 105e85ac8eaed2fee7c164eb120064b9478d492f Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Jul 29 2009 15:08:50 +0000 Subject: /dev/fuse should be s0 not mls_high > From my understanding of the FUSE website, the data from the userland FS > is transferred through this device. Since the data may go up to system > high, I believe the device should still be system high. > Making it systemhigh will generate lots of AVC messages on every login at X Since fusefs is mounted at ~/.gfs. It will also make it unusable I believe on an MLS machine. Mostly I have seen fusefs used for remote access to data. sshfs for example. --- diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc index 688548e..5afa664 100644 --- a/policy/modules/kernel/storage.fc +++ b/policy/modules/kernel/storage.fc @@ -57,7 +57,7 @@ ifdef(`distro_redhat', ` /dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -/dev/fuse -c gen_context(system_u:object_r:fuse_device_t,mls_systemhigh) +/dev/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) /dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)