SELinux: create new open permission
Adds a new open permission inside SELinux when 'opening' a file. The idea is that opening a file and reading/writing to that file are not the same thing. Its different if a program had its stdout redirected to /tmp/output than if the program tried to directly open /tmp/output. This should allow policy writers to more liberally give read/write permissions across the policy while still blocking many design and programing flaws SELinux is so good at catching today. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Reviewed-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
Eric Paris
James Morris
@@ -14,12 +14,17 @@
|
||||
S_(SECCLASS_DIR, DIR__REPARENT, "reparent")
|
||||
S_(SECCLASS_DIR, DIR__SEARCH, "search")
|
||||
S_(SECCLASS_DIR, DIR__RMDIR, "rmdir")
|
||||
S_(SECCLASS_DIR, DIR__OPEN, "open")
|
||||
S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans")
|
||||
S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint")
|
||||
S_(SECCLASS_FILE, FILE__EXECMOD, "execmod")
|
||||
S_(SECCLASS_FILE, FILE__OPEN, "open")
|
||||
S_(SECCLASS_CHR_FILE, CHR_FILE__EXECUTE_NO_TRANS, "execute_no_trans")
|
||||
S_(SECCLASS_CHR_FILE, CHR_FILE__ENTRYPOINT, "entrypoint")
|
||||
S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod")
|
||||
S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open")
|
||||
S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open")
|
||||
S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open")
|
||||
S_(SECCLASS_FD, FD__USE, "use")
|
||||
S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto")
|
||||
S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn")
|
||||
|
||||
Reference in New Issue
Block a user