Java and thunderbird or firefox seem to be creating a hugetlbfs file in /anon_hugetab...

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 5923a0ae02ed5e538df480052b8bcc35a3f1fef8..a75dbe40b466d4ac6d93fdf7f0b09bf333172efd 100644 (file)
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -2220,6 +2220,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
        manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
 ')
 
+########################################
+## <summary>
+##     Read hugetlbfs files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`fs_read_hugetlbfs_files',`
+       gen_require(`
+               type hugetlbfs_t;
+       ')
+
+       read_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+')
+
 ########################################
 ## <summary>
 ##     Read and write hugetlbfs files.

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index fe7d9c3e875b65f3661d104a800197c933c3d7b6..f2789eedb54c501fd53e3ac3b8feae23b6833124 100644 (file)
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -24,6 +24,8 @@ kernel_getattr_message_if(staff_usertype)
 kernel_read_software_raid_state(staff_usertype)
 kernel_read_fs_sysctls(staff_usertype)
 
+fs_read_hugetlbfs_files(staff_usertype)
+
 dev_read_cpuid(staff_usertype)
 
 domain_read_all_domains_state(staff_usertype)

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 43c07752898fca54811bb3f57c447132cbf1d36b..71921caa44f352a6af4f51223a5d42b050b8ea31 100644 (file)
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -13,6 +13,7 @@ role user_r;
 userdom_unpriv_user_template(user)
 
 fs_exec_noxattr(user_t)
+fs_read_hugetlbfs_files(user_usertype)
 
 storage_read_scsi_generic(user_t)
 storage_write_scsi_generic(user_t)