diff options
author | Eric Paris <eparis@redhat.com> | 2012-02-16 15:08:39 -0500 |
---|---|---|
committer | Eric Paris <eparis@redhat.com> | 2012-04-09 12:22:36 -0400 |
commit | 72e8c8593f8fdb983d9cd79d824f6b48ef21f14f (patch) | |
tree | 1a1a81d6fc9007f18bedaace192708efd889eaf7 | |
parent | 47a93a5bcb131879d4425d4559e90ad82990825d (diff) | |
download | op-kernel-dev-72e8c8593f8fdb983d9cd79d824f6b48ef21f14f.zip op-kernel-dev-72e8c8593f8fdb983d9cd79d824f6b48ef21f14f.tar.gz |
SELinux: loosen DAC perms on reading policy
There is no reason the DAC perms on reading the policy file need to be root
only. There are selinux checks which should control this access.
Signed-off-by: Eric Paris <eparis@redhat.com>
-rw-r--r-- | security/selinux/selinuxfs.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index d6ae2d4..f4b5a0b 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -1832,7 +1832,7 @@ static int sel_fill_super(struct super_block *sb, void *data, int silent) [SEL_REJECT_UNKNOWN] = {"reject_unknown", &sel_handle_unknown_ops, S_IRUGO}, [SEL_DENY_UNKNOWN] = {"deny_unknown", &sel_handle_unknown_ops, S_IRUGO}, [SEL_STATUS] = {"status", &sel_handle_status_ops, S_IRUGO}, - [SEL_POLICY] = {"policy", &sel_policy_ops, S_IRUSR}, + [SEL_POLICY] = {"policy", &sel_policy_ops, S_IRUGO}, /* last one */ {""} }; ret = simple_fill_super(sb, SELINUX_MAGIC, selinux_files); |