Commit 72e8c859 authored by Eric Paris's avatar Eric Paris
Browse files

SELinux: loosen DAC perms on reading policy 



There is no reason the DAC perms on reading the policy file need to be root
only.  There are selinux checks which should control this access.

Signed-off-by: default avatarEric Paris <eparis@redhat.com>
parent 47a93a5b

security/selinux/selinuxfs.c

+1 −1
Original line number Diff line number Diff line
@@ -1832,7 +1832,7 @@ static int sel_fill_super(struct super_block *sb, void *data, int silent) 
		[SEL_REJECT_UNKNOWN] = {"reject_unknown", &sel_handle_unknown_ops, S_IRUGO},

		[SEL_DENY_UNKNOWN] = {"deny_unknown", &sel_handle_unknown_ops, S_IRUGO},

		[SEL_STATUS] = {"status", &sel_handle_status_ops, S_IRUGO},

		[SEL_POLICY] = {"policy", &sel_policy_ops, S_IRUSR},

		[SEL_POLICY] = {"policy", &sel_policy_ops, S_IRUGO},

		/* last one */ {""}

	};

	ret = simple_fill_super(sb, SELINUX_MAGIC, selinux_files);

CRA Git | Maintained and supported by SUSTech CRA and CCSE