From b0c636b99997c8594da6a46e166ce4fcf6956fda Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Thu, 28 Feb 2008 12:58:40 -0500 Subject: SELinux: create new open permission Adds a new open permission inside SELinux when 'opening' a file. The idea is that opening a file and reading/writing to that file are not the same thing. Its different if a program had its stdout redirected to /tmp/output than if the program tried to directly open /tmp/output. This should allow policy writers to more liberally give read/write permissions across the policy while still blocking many design and programing flaws SELinux is so good at catching today. Signed-off-by: Eric Paris Acked-by: Stephen Smalley Reviewed-by: Paul Moore Signed-off-by: James Morris --- security/selinux/ss/services.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'security/selinux/ss/services.c') diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 26de2be0c8e..4a14348de87 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -61,6 +61,7 @@ extern void selnl_notify_policyload(u32 seqno); unsigned int policydb_loaded_version; int selinux_policycap_netpeer; +int selinux_policycap_openperm; /* * This is declared in avc.c @@ -1308,6 +1309,8 @@ static void security_load_policycaps(void) { selinux_policycap_netpeer = ebitmap_get_bit(&policydb.policycaps, POLICYDB_CAPABILITY_NETPEER); + selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps, + POLICYDB_CAPABILITY_OPENPERM); } extern void selinux_complete_init(void); -- cgit v1.2.3-70-g09d2