SELinux: create new open permission Adds a new open permission inside SELinux when 'opening' a file. The idea is that opening a file and reading/writing to that file are not the same thing. Its different if a program had its stdout redirected to /tmp/output than if the program tried to directly open /tmp/output. This should allow policy writers to more liberally give read/write permissions across the policy while still blocking many design and programing flaws SELinux is so good at catching today. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Reviewed-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>

commit: b0c636b99997c8594da6a46e166ce4fcf6956fda [log] [tgz]
author: Eric Paris <eparis@redhat.com> Thu Feb 28 12:58:40 2008 -0500
committer: James Morris <jmorris@namei.org> Fri Apr 18 20:26:06 2008 +1000
tree: 16308f0324846cd8c19180b6a45793268dd16f50
parent: d4ee4231a3a8731576ef0e0a7e1225e4fde1e659 [diff] [blame]
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 0341567..1d996bb 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c

@@ -42,7 +42,8 @@
 
 /* Policy capability filenames */
 static char *policycap_names[] = {
-	"network_peer_controls"
+	"network_peer_controls",
+	"open_perms"
 };
 
 unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
commit	b0c636b99997c8594da6a46e166ce4fcf6956fda	[log] [tgz]
author	Eric Paris <eparis@redhat.com>	Thu Feb 28 12:58:40 2008 -0500
committer	James Morris <jmorris@namei.org>	Fri Apr 18 20:26:06 2008 +1000
tree	16308f0324846cd8c19180b6a45793268dd16f50
parent	d4ee4231a3a8731576ef0e0a7e1225e4fde1e659 [diff] [blame]