From 0d894f572acf108ccf35b80c511fb43854c2cdd4 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Tue, 13 Oct 2015 09:01:52 -0500
Subject: [PATCH] V-51739: LSM device labeling exception

Implements: blueprint security-hardening

Change-Id: Iad9f2e4e98815794e3ec84cb5f4b7194512d666f
---
 doc/source/developer-notes/V-51379.rst | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 doc/source/developer-notes/V-51379.rst

diff --git a/doc/source/developer-notes/V-51379.rst b/doc/source/developer-notes/V-51379.rst
new file mode 100644
index 00000000..393e1b4f
--- /dev/null
+++ b/doc/source/developer-notes/V-51379.rst
@@ -0,0 +1,7 @@
+**Exception**
+
+Although SELinux works through a labeling system where every file (including
+devices) receive a label, AppArmor works purely through policies without
+labels. However, openstack-ansible does configure several AppArmor policies
+to reduce the chances and impact of LXC container breakouts on OpenStack
+hosts.