-
- Downloads
Restrict requesting contexts other than policy-defined defaults.
Writing to the /proc/self/attr files (encapsulated by the libselinux
set*con functions) enables a program to request a specific security
context for various operations instead of the policy-defined defaults.
The security context specified using these calls is checked by an
operation-specific permission, e.g. dyntransition for setcon,
transition for setexeccon, create for setfscreatecon or
setsockcreatecon, but the ability to request a context at all
is controlled by a process permission. Omit these permissions from
domain.te and only add them back where required so that only specific
domains can even request a context other than the default defined by
the policy.
Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676
Signed-off-by: 
Stephen Smalley <sds@tycho.nsa.gov>
Showing
- adbd.te 1 addition, 0 deletionsadbd.te
- domain.te 1 addition, 1 deletiondomain.te
- init.te 6 additions, 0 deletionsinit.te
- kernel.te 2 additions, 0 deletionskernel.te
- recovery.te 3 additions, 0 deletionsrecovery.te
- runas.te 1 addition, 0 deletionsrunas.te
- ueventd.te 3 additions, 0 deletionsueventd.te
- zygote.te 1 addition, 0 deletionszygote.te
Loading
Please register or sign in to comment