summaryrefslogtreecommitdiffstats
path: root/security/selinux/selinuxfs.c
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2008-02-28 18:58:40 +0100
committerJames Morris <jmorris@namei.org>2008-04-18 12:26:06 +0200
commitb0c636b99997c8594da6a46e166ce4fcf6956fda (patch)
tree16308f0324846cd8c19180b6a45793268dd16f50 /security/selinux/selinuxfs.c
parentselinux: selinux/netlabel.c should #include "netlabel.h" (diff)
downloadlinux-b0c636b99997c8594da6a46e166ce4fcf6956fda.tar.xz
linux-b0c636b99997c8594da6a46e166ce4fcf6956fda.zip
SELinux: create new open permission
Adds a new open permission inside SELinux when 'opening' a file. The idea is that opening a file and reading/writing to that file are not the same thing. Its different if a program had its stdout redirected to /tmp/output than if the program tried to directly open /tmp/output. This should allow policy writers to more liberally give read/write permissions across the policy while still blocking many design and programing flaws SELinux is so good at catching today. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Reviewed-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/selinuxfs.c')
-rw-r--r--security/selinux/selinuxfs.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 0341567665b3..1d996bb953b8 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -42,7 +42,8 @@
/* Policy capability filenames */
static char *policycap_names[] = {
- "network_peer_controls"
+ "network_peer_controls",
+ "open_perms"
};
unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;