[patch][selinux] Allow non-root processes to read selinuxfsenforce node
From: Stephen Smalley
Date: Thu Feb 05 2004 - 11:01:55 EST
This patch against 2.6.2-mm1 changes the mode bits on the selinuxfs
enforce node so that non-root processes can read it. This is necessary
to allow non-root userspace policy enforcers to check the enforcing flag
upon a permission failure as well. A process must still have the
appropriate SELinux permission in order to read the node. Please apply.
security/selinux/selinuxfs.c | 2 +-
1 files changed, 1 insertion(+), 1 deletion(-)
Index: linux-2.6/security/selinux/selinuxfs.c
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/selinuxfs.c,v
retrieving revision 1.32
diff -u -r1.32 selinuxfs.c
--- linux-2.6/security/selinux/selinuxfs.c 3 Oct 2003 20:01:16 -0000 1.32
+++ linux-2.6/security/selinux/selinuxfs.c 5 Feb 2004 13:35:49 -0000
@@ -603,7 +603,7 @@
{
static struct tree_descr selinux_files[] = {
[SEL_LOAD] = {"load", &sel_load_ops, S_IRUSR|S_IWUSR},
- [SEL_ENFORCE] = {"enforce", &sel_enforce_ops, S_IRUSR|S_IWUSR},
+ [SEL_ENFORCE] = {"enforce", &sel_enforce_ops, S_IRUGO|S_IWUSR},
[SEL_CONTEXT] = {"context", &sel_context_ops, S_IRUGO|S_IWUGO},
[SEL_ACCESS] = {"access", &transaction_ops, S_IRUGO|S_IWUGO},
[SEL_CREATE] = {"create", &transaction_ops, S_IRUGO|S_IWUGO},
--
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/