diff options
| author | Eric Paris <eparis@redhat.com> | 2008-02-28 12:58:40 -0500 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2008-04-18 06:26:06 -0400 |
| commit | b0c636b99997c8594da6a46e166ce4fcf6956fda (patch) | |
| tree | 16308f0324846cd8c19180b6a45793268dd16f50 /security/selinux/selinuxfs.c | |
| parent | d4ee4231a3a8731576ef0e0a7e1225e4fde1e659 (diff) | |
SELinux: create new open permission
Adds a new open permission inside SELinux when 'opening' a file. The idea
is that opening a file and reading/writing to that file are not the same
thing. Its different if a program had its stdout redirected to /tmp/output
than if the program tried to directly open /tmp/output. This should allow
policy writers to more liberally give read/write permissions across the
policy while still blocking many design and programing flaws SELinux is so
good at catching today.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Reviewed-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/selinuxfs.c')
| -rw-r--r-- | security/selinux/selinuxfs.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 0341567665b3..1d996bb953b8 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c | |||
| @@ -42,7 +42,8 @@ | |||
| 42 | 42 | ||
| 43 | /* Policy capability filenames */ | 43 | /* Policy capability filenames */ |
| 44 | static char *policycap_names[] = { | 44 | static char *policycap_names[] = { |
| 45 | "network_peer_controls" | 45 | "network_peer_controls", |
| 46 | "open_perms" | ||
| 46 | }; | 47 | }; |
| 47 | 48 | ||
| 48 | unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; | 49 | unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; |